When the Auditors Get Audited

Transcription

1 When the Auditors Get Audited Lisa Jensen, MHBL, FACMPE, CPC April 11, 2016 Disclaimer These educational materials were current at the time they were published and created. They were prepared as tools to assist in teaching; they are not intended to create any rights, privileges, or benefits. Although every reasonable effort has been made to assure the accuracy of the information within these materials, the ultimate responsibility for complying with the Federal fraud and abuse laws lies with the organization. Providence Health Plans agents, and staff make no representation, warranty, or guarantee that these compilations of information are error free and will bear no responsibility or liability for the results or consequences of the use of these materials. These educational materials are not legal documents. The official information is contained in the relevant laws and regulations. 1

2 Agenda CMS Audit Elements of the Audit Plan Best Practices Lessons Learned Providence Health Plans Providence Health Plans is a part of the integrated delivery system of the five state Providence Health & Services. Provide or administer health coverage to more than 500,000 members nationwide. Offer insurance for commercial groups, ASO, Medicare, Medicaid, individuals and State Sponsored Exchange products. Geography Oregon, Southwest Washington Partners Health Republic Insurance, Premera Blue Cross Blue Shield, Providence Health Network, Intel 5-star rating by Medicare for our HMO and HMO-POS plans in 2014 and 2015 Over 24,000 Medicare Advantage members, plan since

3 PHP External Audit/Payment Integrity Department/ SIU Medicare C and D Oversight The Medicare Parts C and D Oversight and Enforcement Group (MOEG), Part C and Part D program audits. Confirm sponsors deliver benefits in accordance with the terms of their contract and plan benefit package. Evaluate sponsors compliance program requirements, especially those that safeguard beneficiaries access to medically necessary services and prescription drugs. This ensures the integrity of the Part C and Part D programs and protects the health and safety of Medicare beneficiaries. 3

4 CMS Audit In May 2014, CMS conducted both remote and On- Site Audits of PHP s Medicare Advantage and Part D Compliance Program. As a result of the audit, PHP s Medicare Compliance Department made a number of learnings. This presentation has been prepared in an effort to assist other SIUs with meeting CMS compliance requirements in the event that CMS Audits the Auditors CMS Audit All organizations offering a Medicare Advantage (Part C) and/or Medicare Prescription Drug Plan (Part D) must have an effective compliance program CMS provides copious guidance on the content and requirements of compliance programs CMS guidance concerning the FWA function has been available since 2006 CMS draft of updated guidance released Feb 2012 New CMS Medicare Advantage and Part D Fraud Handbook added March

5 Audit Timeline Start Notice/Engage ment Letter The Auditor-in- Charge (AIC) contacts the SO (sponsor s) compliance officer via phone and then sends an audit engagement letter Follow-Up Call The AIC conducts a follow-up call with the SO and the audit team 1-2 days after the date of the engagement letter Pre-Audit Issue Summary and Associated BIAs Submitted to CMS from the SO Within 5 business Universe Request Conference Calls Prior to upload of the universe Universe Submission to CMS from the SO Within 15 business days of receiving the engagement letter Audit Timeline Cont. Universe Validation Webinar After the universes have been uploaded by the SO, Send SO Audit Schedule CMS will send the SO a schedule of audit activities for the week of the webinar and onsite audit Draft Audit Report Preparation and Issuance to SO At the conclusion of the audit, CMS prepares and issues a draft audit report (goal is within 60 days of the conclusion of the audit). The SO has 10 business days to respond to the report with comments to CMS. Issuing the Final Audit report and Corrective Action Requirement(s) CMS issues the final report (the goal is within 10 days from receiving the SO comments). CMS provides the SO with 7 days to submit a corrective action plan for correcting any deficiencies 5

6 How Does It Start? An engagement letter will be sent 6 weeks prior to the audit start date, notifying you of the date the audit will begin, the scope of the audit, the contact information for the MOEG Auditor-In- Charge, information being requested from the sponsor (e.g., universes). Sponsors will be expected to submit universes 3 weeks prior to the start date of the audit. What About ? starts a new audit cycle. All sponsors, even those audited in the previous cycle ( ), will be considered for audit selection. For 2014 audits, CMS audited plans that provide 96% of Medicare Advantage and Prescription Drug enrollees services, began auditing with outcome-based audit protocols. They will continue to utilize a risk-based approach to selecting sponsors for audit (both high and low risk), while also taking into account other key factors like: the sponsor has never previously been audited; the sponsor is new to the program (i.e., is in their first 2 years of operation and has no previous affiliation with the Medicare program); or the sponsor represents a large percentage of MA or Part D enrollment. 6

7 BTW: Did You Know, You Should Already Know This! Many were not audited in this first cycle, the publishing of audit related performance data and information of external websites (e.g., best practices and common findings memos, audit protocols, audit scores, etc.) should have improved the level of compliance of all sponsors throughout the industry. Universe Selection Sponsors are expected to provide accurate and timely universe submissions. In 2016, sponsors will have a maximum of 3 attempts to provide each universe requested: If the sponsor fails to provide accurate and timely universe submissions twice, CMS will document this as an observation in the plan s program audit report. After the third failed attempt the sponsor will be cited Immediate Corrective Action Required (ICARs) for every condition that cannot be tested due to the inaccurate universe (i.e., if there are 11 audit conditions that could have been tested in a given universe, we will automatically cite 11 ICARs, one for each possible condition that could have been tested). 7

8 Self Disclosed vs. Self Identified A disclosed issue reported to CMS prior to the date of the audit start notice. A self-identified discovered by the sponsor but notification was not made to CMS until after the date of the audit start notice. Sponsors asked to provide a list of all previously disclosed and selfidentified issues of non-compliance, from January 1, 2016 through the date of the audit start notice. Sponsors must provide a description of each issue as well as the remediation status using the Pre-Audit Issue Summary template. Each disclosed and self-identified issue require a Beneficiary Impact Analysis (BIA). The BIA should include every impacted beneficiary across all of the sponsor s contracts for the time period January 1, 2016 through the date of the audit start notice. Both the issue summary and the associated BIA(s) are due within 5 business days after receipt of the engagement letter. FWAM Did the sponsor establish, maintain and implement effective compliance and FWA training? CMS will test each of the 6 tracers by reviewing the data and documentation provided by the sponsor while onsite. CMS will also conduct interviews while onsite to provide additional information on the sponsor s compliance program. If CMS requirements are not met, a condition (finding) will be documented. If CMS requirements are met, no conditions (findings) are documented. 8

9 Tracer Documentation CMS will review all tracer documentation to determine that the compliance program elements were effectively met. An explanation/ evidence risk assessment indicating how issues are identified. Copies of monitoring reports showing the outcomes of monitoring Copies of trending reports showing the trend of the issue (i.e., the issue is being or has been remediated over time or the issue is still occurring). Copies of audit reports showing the results of any audits conducted for the identified issue. Evidence/ explanation of any follow up done For employees involved in the tracers, evidence that the employees were checked against the OIG/GSA exclusion lists. For FDRs, evidence that the FDRs were checked against the OIG/GSA exclusion lists. Fraud Waste and Abuse Monitoring (FWAM) Include: all monitoring activities and investigations performed to identify and address potential or suspected FWA at both the sponsor and FDR levels Monitoring: predictive analytics, data mining, outlier analysis, comparison of claim information against other data, prescribing and dispensing practices of providers, fraudulent activities of plan members, aberrant pharmacy billing, medical claims, PLATO, Medicare waste by identifying overpayments, etc Investigations: employee misconduct, fraudulent provider or pharmacy claims, fraudulent vendor (FDR) invoices, misuse of Medicare beneficiary information, overpayments, complaints or tips received through hotlines, referrals, internal operational areas, FDRs/contractors, fraud alerts from CMS, providers, members, MEDIC, law enforcement, etc. Exclude: non-medicare Parts C and/or D FWA monitoring, investigations or actions (e.g., commercial, Medicaid) 9

10 FWAM Universe Field Name Description Name of the sponsor component, department, FDR or Name of Component, FDR or enrollee that was monitored or investigated for potential or Enrollee suspected FWA. Was this FWA effort related to Medicare? Type of FWA Activity Yes(Y)/No (N) indicator of whether the FWA event related to Medicare? Or TBD Indicate if the activity is related to Monitoring or an Investigation NOTE: Monitoring is the use of data analysis/claims information/cms fraud alerts to identify internal/external unusual patterns, practices, providers. Investigation refers to case development for detected or reported cases of noncompliance, illegal, fraudulent, or wasteful activity. Date FWA Activity Started Provide the date that the monitoring or investigation activity was initiated, started or reopened. Date FWA Activity Completed Provide the date that the monitoring or investigation ended. FWAM Universe Continues Field Name Description Frequency of the monitoring or investigation (e.g., weekly, monthly, quarterly, annually, ad-hoc, Frequency of FWA Activity incident/event-based) Who conducted the monitoring or investigation (e.g., Internal or External operational area, compliance department, legal, SIU, Auditors FDR). Description of FWA Activity Were FWA Risks Identified? Communication & Reporting Mechanism Description of what was monitored or investigated (operational area, pharmacy claims, provider claims, employee, enrollee or FDR misconduct). Yes(Y) or No (N) indicator of whether the monitoring effort or investigation was initiated based on being identified through a risk analysis or assessment. Yes(Y) or No (N) indicator of whether the monitoring effort or investigation performed based on an inquiry submitted to the sponsor s compliance/fwa reporting system? (e.g., telephone hotlines, mail drops, , website). 10

11 FWAM Universe Continues Field Name Were any issues or deficiencies discovered? Number of Deficiencies Description Yes(Y) or No (N) indicator of whether any issues, findings or deficiencies were discovered during the monitoring effort or investigation? Or TBD Provide the number of deficiencies, findings or issues identified. Answer NA if no deficiencies were identified or discovered. Description of Deficiencies Was corrective action taken? Corrective Action Description Were monitoring results shared with others? Provide a description of all deficiencies, findings or issues identified during the monitoring activity or investigation. If the monitoring event is identified in the pre-audit issue summary submitted to CMS, please provide the issue number. If monitoring event or investigation is currently in progress and deficiencies have yet to be identified, explain why this activity is still in progress with an estimated date in which the activity will be closed and/or deficiencies will be identified. Yes (Y) /No (N) indicator of whether corrective action has been taken. Or TBD Provide a description of the corrective action(s) implemented by the sponsor in response to potential or suspected FWA discovered during the monitoring or investigation, including any root cause analysis for what caused the deficiencies/problems, timeframes for specific achievements and any ramifications for failing to implement the corrective action satisfactorily. Or NA Describe how the results of the monitoring activity or investigation were communicated or shared with sponsor s affected components, compliance department, senior management, and the FTE. Distribution of Duties Does one department do all your FWA work? HR investigate employee wrong-doing? Managers investigate employee issues? Compliance department monitor/ oversight FDR compliance? Compliance Department monitor/ audit department compliance? Medical Quality? Informatics? IT? 11

12 Example of an Audit Condition CONDITION: Sponsor did not conduct timely, well-documented and reasonable inquiry into a compliance incident or issue or potential FWA. CRITERIA: 42 CFR (b)(4)(vi)(G) 42 CFR (b)(4)(vi)(G) Medicare Managed Care Manual, Chapter 21, Section Prescription Drug Benefit Manual, Chapter 9, Section CAUSE: Sponsor could not provide a reason why it did not initiate an investigation of the issues in a timely manner. EFFECT: Failure to conduct timely, well documented, and reasonable inquiries into any compliance incident or issue involving potential Medicare program noncompliance or potential FWA can allow said issues to persist and recur in the future. Contracts Affected Contract Number(s) Sample Case Number(s) CORRECTIVE ACTION REQUIRED: Sponsor must put a system in place to ensure all inquiries into incidents of potential noncompliance or FWA are conducted timely, well documented, and performed reasonably. Can You Provide Proof of Training? Provide a list of all Medicare FWA training provided to your employees, volunteers, members of the governing body, FDRs and/ or others during the audit period. 12

13 Yes Training Happened Sign in sheets Electronic training logs Copies of power point or other presentations Copies of handouts, cheat sheets Compliance, HR training or Operational Area Training? Can You Prove Effectiveness of Training? Provide a description, including of how it was determined that training and education was effective in reducing compliance and FWA risks. 13

14 Yes Training Effectiveness Pre and Post tests Track number of referrals from internal and external sources Employee survey Pop Awareness Quiz/ Mock Audit Can You Prove Monitoring FWA? Provide a description, including examples, of specific monitoring activities performance during the audit period to prevent and detect FWA and response to CMS Fraud Alerts. Current list of all potential incidents during audit period 14

15 Yes Monitoring FWA All places in health plan where fraud waste and abuse might be caught Quality control functions Appeals and Grievance SIU data mining Internal and External Referrals Clinical Edits Part D monitoring Etc. Can You Provide a List of Current Incidences? How are you tracking your incidences of potential fraud waste and abuse? Spreadsheet Project tracking system Access Database Vendor solution Homegrown 15

16 Yes - List of Potential Incidents Date of Incident Source Nature of Incident Operation area affected Subject ID Date of Resolution Resolution of Issue Geographic Area Zip Code Your Own Potential Incidents Are your dates in compliance with regulation? Reasonable inquiry completed within 14 days Referral to CMS of potential FWA within 30 days? 16

17 Your Own Potential Incidents Date of Resolution Was your resolution timely? Can you demonstrate reasonable haste? Can you demonstrate reasonable actions? Do you have evidence of consistent progress towards resolution? Do you have evidence of attempts to address delays? Your Own Potential Incidents Resolution of Issue Do you have a root cause analysis documented? Do you have clear investigative actions documented? Is there evidence of management oversight and QA? Is there evidence of communication to the compliance committee, upper level leadership? 17

18 Best Practices Does Leadership demonstrate a commitment to compliance and anti-fraud? Do we have written standards of conduct and policies and procedures that are updated at least annually? Are employees required to sign off that standards of conduct and policies and procedures are reviewed? Best Practices Do we document and retain evidence of identification of and response to potential fraud waste and abuse? Do we have evidence that we do not tolerate retaliation against those who report fraud waste or abuse? Do we document referrals to law enforcement, CMS or other regulators? 18

19 Best Practices Do we document all employees, FDRs, Board Members and providers are checked against the HHS OIG and GSA debarment lists? Can we demonstrate refunds, recovery of losses, recovery of overpayments and pre payment denials related to fraud, waste and abuse? Best Practices Can we demonstrate disciplinary polices? Can we demonstrate appropriate actions/sanctions disciplinary actions taken? Can we demonstrate changes based on outcomes of audits? Policy changes, edits, revisions to process? 19

20 Best Practices Can we demonstrate FWA training for new hires within 90 days of hire? Do employees receive general compliance training? Do we publicize visibly ways to report potential FWA, is at least one anonymous? Best Practices Can we provide evidence that FWA is discussed with management, i.e., compliance committee, board, etc? Are business monitoring results tied to leaders compensation? Do we collaborate with Part C and D fraud work group and attend regular meetings? 20

21 What is Evidence of Effectiveness? For the SIU it s all about the data Case documentation Monthly, quarterly, annual reports Work load Recoveries, savings, forfeiture Timelines, timeliness Corrective actions and referrals Life Cycle of Case Detection Monitoring Preliminary Investigation Prevention Assignment to Investigator/ Auditor Corrective Action Determination 21

22 Case Documentation Case Tracking Documentation 22

23 Events for Tracking - Sample Accepted by FBI Accepted by MEDIC Accepted by OIG Acquited Appeal Decision- Fully Upheld Appeal Decision- Overturned Appeal Decision- Partial Upheld Appeal Received Convicted - Civil Desk Audit Completed Convicted - Criminal Desk Audit Started Convicted - Provider Excluded Convicted-Integrity Agreement Convicted- Restitution Ordered Convicted- Settlement Agreement Corrective Action Plan Data Analysis Completed Data Analysis Approved for Closure Intiated Audit Findings approved Denied by FBI Audit Findings denied Denied by MEDIC Audit Findings submitted Denied by OIG Complaint Research in Progress Denied for Closure Education Letter Sent Extrapolating Recovery Amount Indicted - Civil Indicted - Criminal Info Submitted Initial Contact Insignificant Loss Insufficient Info to Pursue Investigation Completed Investigation Initiated Lead approved by Committee Lead denied by Committee Lead submitted to Committee Major Problems Identified Manager Review Manager Review Complete Manager Review Follow Up Manager Review Request Member Interviews - Completed Member Interviews - Initiated Member Survey Completed Member Survey Sent Minor Problems Identified Moderate Problems Identified New Claims Edit Implemented New Claims Edit Recommended No Problems Identified Onsite Audit Completed Onsite Audit Scheduled Refund/Education Letter Sent Overpayment Calc Completed Phone In Phone Out Fax In In Correspondence In Correspondence Out Delivery Receipt Received Overpayment Re-Calc Completed Reconsideration 2 In Performing 6 mo Follow Up Arbitration Request Answered Prepay Pend Initiated Frequent Activity Prepay Med Recs Release Ready Prepay Med Recs Submitted Rev Prepay Medical Review Complete Prepay Pend Initiated Prepay Pend Cancelled Refer Ins Div or License Brd Financial Tracking - Sample 23

24 Monthly Reporting - Sample Medicare Advantage SIU Regulatory Report Date Range: 5/1/2015-5/31/2015 Timely Response Compliance Did PHP meet the reasonable inquiry deadline of 2 weeks? Did PHP meet the MEDIC response deadline of 30 days? Did PHP meet the MEDIC referral deadline of 30 days? CMS Defined Element Number of Cases Potential fraud and abuse incidents related to inappropriate billing 3 Potential fraud and abuse incidents related to providing false information 1 Potential fraud and abuse incidents related to doctor shopping/drug seeking beneficiary 7 Potential fraud and abuse incidents related to attempting to steal identity/money 0 Potential fraud and abuse incidents related to other areas not listed above 5 Total potential fraud and abuse incidents identified 16 CMS Defined Actions Number of Cases Potential incidents identified through internal efforts 0 Potential incidents received from external sources 8 Total potential fraud and abuse incidents that were closed 8 Potential fraud and abuse incidents referred to CMS for action 5 Potential fraud and abuse incidents referred to federal law enforcement for action 0 Potential fraud and abuse incidents referred to local law enforcement for action 0 Potential fraud and abuse incidents referred to State Insurance Commissioners (SICs) or state licensing authorities 0 CMS Defined Totals Number of Cases Inquiries initiated by the Sponsor as a result of potential fraud and abuse incidents 8 Corrective actions initiated by the Sponsor as a result of potential fraud and abuse incidents 0 Y Y Y Leadership Reporting - Sample 24

25 Leadership Reporting - Sample Leadership Reporting Data Ideas Number of educational interventions Number of employees, FDRs educated Number of referrals to regulators Issues that impact various lines of business Collection or denial percentages Sources of Lead/Allegation/Discovery 25

26 Lessons Learned It s not fun to hear your words come back to you from a CMS auditor Case documentation must be easy for someone who doesn t work in your department to understand There is some auditor interpretation in much of what we do, and them too One mistake can and does hurt you Lessons Learned FDR education and fraud monitoring language is intermingled with SIU education and fraud efforts. Plan wide risk assessment or SIU specific risk assessment Medicare wants their own..everything! Regularly monitor your CMS resources (hint - see next slide) 26

27 Your Resources The purpose of this web page is to increase transparency related to the Medicare Advantage and Prescription Drug Plan program audits Information regarding the Program Audit Process and Protocols, Frequently Asked Questions, and HPMS Memo s relating to the Program Audit process are located in the Downloads section. Program Audits Web Page 27

28 Your Resources CMS Manual Chapter 9/21 -Drug- Coverage/PrescriptionDrugCovContra/Dow nloads/chapter9.pdf Medicare Managed Care Manual Guidance/Guidance/Manuals/Internet- Only-Manuals-IOMs- Items/CMS html Your Resources CMS Outreach and Education MEDIC h-materials/for-plan-sponsors/ Fraud Handbook 28

29 Questions? Lisa Jensen 29