CMS recently started its 2015 “audit season” using program audit protocols issued earlier in the year. Periodically, CMS changes its audit protocols and this is a year of significant changes, as our analysis and experience with first-wave plans undergoing the CMS program audit have discovered.

Visante and HTMS, consulting firms with experts working in Medicare Part C and D, recently provided a no-fee webinar to share our analysis of the risk points stemming from these changes. Due to the overwhelming response, and at the request of attendees, we are providing this summary for executives, managers, and staff.

Risk Point #1: Audit Universe Accuracy and Completeness

The audit universe templates have changed, from format and layout to number and composition. Some changes are for the good, such as the breakout into specific, targeted templates. Other changes bring the need for investing in process, production, and system modifications, such as the move from Excel to a “.txt” document format, enhanced case parameters, and limited characters for certain fields. All of these changes can bring risks.

This year, CMS has increased its universe data validation effort with mandatory re-submissions and a pre-audit webinar in certain audit areas to push for data accuracy. Along with this, CMS has reduced the margin of error and heightened the consequences for failures. Missteps in submitting accurate universe data in the prescribed format, and burning through CMS’ “3 strikes”(resubmissions) could result in compliance and enforcement actions.
• The “3 strikes” policy for failed universe submissions starts with the resubmission of the universe without corrective action, moves to the issuance of an “Observation,” and finally an ICAR for every condition that could not be tested in the universe.
• The greatest impact is to the universes capturing coverage determinations, appeals and grievances, known as ODAG (Part C) and CDAG (Part D). CMS deconstructed the previous 3 ODAG and 3 CDAG universes to 13 and 15 templates respectively, and made a number of modifications.

The challenges to Plans include —
• An increase in plan susceptibility to universe errors due to template changes and the sheer numbers of universes.
• Assessing the extent to which previously programmed queries need to be overhauled, including more complex queries with filters (increasing the risk of errors and omissions).
• An increase in time and cost to strengthen the QA process for universes, and the risk that QA testers may be “blinded” by cut and paste short-cuts and subtle differences between templates.
• Addressing new data elements, including the need to query multiple systems and merge data for universe submissions – and even modifying workflow systems to accommodate additional data elements for tracking and reporting.

Risk Point #2: Pre-Audit Issue Summary

The 2015 protocols create an additional focus on the ability of Plans to identify their own issues. The Pre-Audit Issue Summary requires Plans to report the disclosed issues submitted to CMS on an on-going basis and to report self-identified issues notified to CMS after the date of the audit start notice. The format for reporting these issues is more detailed, and includes corrected and uncorrected issues. There is a time limit for submission of this report, and consequences if the time frame is missed – or if a Plan misses issues.

Risk Point #3: Beneficiary Impact Analysis

A Beneficiary Impact Analysis (BIA), in the CMS format, must be submitted for each of the issues on the Pre-Audit Issue Summary and for certain issues discovered during an audit. The challenges for Plans include developing the BIA queries, having adequate staff resources to carry out the analyses, especially on issues identified once the audit notice has been received, and submitting adequately developed, accurate BIAs on time. CMS limits the number of attempts to provide an accurate BIA, with a range of consequences for failed or untimely submissions.

Risk Point #4: Questionnaires

The protocols continue to use a “self-assessment questionnaire” for the Compliance Program Effectiveness component of the audit. In 2015, CMS has introduced questionnaires for ODAG and CDAG that must be submitted before the start of the audit webinars. The questions (15 for ODAG, 17 for CDAG) cover various facets of Plan operations ranging from staffing to mail room practices. These questionnaires give CMS an opening to drill down during the webinars, testing responses against actual operations and performance, and gaining greater insight into Plan compliance.

Risk Point #5: Aggravating Circumstances

Since 2012, CMS has released four memoranda summarizing the common compliance issues found during its program audits and has stated that the agency continues to find many of the same “Common Conditions or Findings” during its yearly program audits. For 2015, CMS will escalate the consequence of finding a condition from one or more of these memos, and substantial failures may result in additional enforcement actions due to these “aggravating circumstances.”

Recommended Action Steps
1. Educate key managers and executives on the impact of the protocol changes for support and buy-in to an audit readiness plan.
2. Identify and prepare sample universes, conduct QA, and identify corrective action steps.
3. Prepare questionnaire answers and coordinate responses with FDRs, where necessary.
4. Conduct a CMS mock audit (or abbreviated mock audit), carry out CARs and ICARs on findings, and validate remediation efforts.
5. Strongly advise Medicare operations and FDRs to report compliance issues to the Medicare Compliance Officer ASAP, to build communication and coordination.
6. Start BIAs for issues

For further information and assistance, send your query to

Share this on Twitter: