Medicare Parts C and D Universal Audit Guide

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
GENERAL INSTRUCTIONS:
Time Period for Universe Requests
The applicable time period for the data requests is 1 year from the date of receipt of the Notice of
On-Site Audit and Inspection, or from [Month DD, YYYY] through [Month DD, YYYY].
Data Requests
Unless otherwise indicated, please provide all information in Excel format. Please do NOT
submit the actual documents unless specifically requested by CMS. After your organization
submits this data to CMS, we will request specific samples or documents needed for our review.
Documentation Requests
For each documentation request, please submit ONLY that which is specifically requested.
Requests for documentation that do not otherwise indicate a specific format for submission may
be submitted in either a Microsoft Word or PDF format. All data and documentation requests
identify the related elements of the compliance program requirements. Your organization must
provide a table of contents of the requested documentation by element.
Data and Documentation Requests:
1.

(Applicable to Element I) All Standards of Conduct/Code of Conduct that were
distributed to employees during the audit period. Please state the effective date(s) of
these Standards of Conduct.

2.

(Applicable to Elements I, II, III, IV, V, VI, VII and FDR Oversight) If you have a
Medicare Compliance and/or Fraud, Waste, and Abuse (“FWA”) Plan, or similar
document(s), please provide version(s) in effect during the audit period and state the
effective date(s).

3.

(Applicable to Elements I, III,VI and VI) A current 1 listing of all of your organization’s
employees 2 (permanent, temporary, full-time, part-time, including senior management),
volunteers (e.g. unpaid interns) who have job duties (full-time or part-time) related to
your Medicare Advantage (Part C) and or Prescription Drug (Part D) business. This list
should include members of your Board of Directors who worked/served at any time
during the audit period.

1

Throughout this request, “current” is defined as at any time during the audit period listed above.
Please note, this request calls for all such employees, volunteers and directors who worked/served at any time
during the audit period, not just those who are working/serving at the time of this data request.

2

Page 1 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
x

x

4.

Please include the following fields: name, title, organizational component, date of
hire, if first employed during audit period, physical location and direct phone
number.
Also, please specifically identify in the listing:
(a) Temporary employees;
(b) Volunteers; and
(c) Members of the Board of Directors and date of appointment if appointed
during audit period.

(Applicable to Element I and IV) A list of your current Medicare compliance program
policies and procedures, including the date of the last revision for each (or last review
date, if no revisions were made). Do not provide copies of your actual policies and
procedures. Also, please specifically identify in the listing:
(a) Policies and procedures revised during the audit period based upon identified
non-compliance or FWA issues.
(b) Policies and procedures updated to incorporate changes in applicable laws,
regulations, and/or other Medicare program requirements during the audit
period.

5.

(Applicable to Element II) Please provide the following information regarding your
compliance program and staff that support your Medicare compliance function:
(a) Identify your Compliance Officer/compliance staff and provide current job
descriptions and how long they have worked in the position;
(b) Current resume for Compliance Officer
(c) A list of all persons who currently serve on your Compliance Committee,
along with;
(1) Job titles/department
(2) Length of time with the organization
(3) Brief description of each person’s responsibilities (if any) on the
Compliance Committee (e.g. member of a sub-committee);
(d) Your Compliance Committee Charter and its effective date
(e) If you have a governing body committee that oversees the Medicare
compliance program, please:
(1) Identify that committee

Page 2 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
(2) Identify its chairman and other members
(3) Provide a copy of the committee’s charter
6.

(Applicable to Element II) Identify each compliance committee meeting (other than
Board-level Compliance Committees, which are covered in Request No. 7 below) during
the audit period at which Medicare Part C and/or Part D compliance and/or Medicare
FWA issues were a topic on the agenda and/or were discussed. Also, provide the
following:
(a) Agendas and meeting minutes 3 (you may redact any non-Medicare issues)
(b) All documentation that details the content of the meeting, including specific
reports, charts, or other documents that the committee meeting minutes refer to or
that were otherwise reviewed or discussed during each meeting. In other words,
provide data that details the dates of the meetings, what was discussed, materials
that were shared at the meeting regarding compliance (e.g. PowerPoint
presentations, emails, handouts, reports, memoranda, etc.)
(c) Action items assigned to correct compliance issues and reports provided to the
senior-most leader and/or governing body on the status of the compliance
program.

7.

(Applicable to Element II) Identify each Board meeting and Board-level Compliance
Committee meeting during the audit period at which Medicare Part C and/or Part D
compliance and/or Medicare FWA issues were a topic on the agenda and/or were
discussed. Also, provide the following:
(a) Agendas and Meeting minutes 4 (you may redact any non-Medicare issues)
(b) All documentation that details the content of the meeting, including specific
reports, charts, or other documents that the Board meeting minutes refer to or that
were otherwise reviewed or discussed during each meeting. In other words,
provide data that details the dates of the meetings, what was discussed, materials
that were shared at the meeting regarding compliance (e.g. PowerPoint
presentations, emails, handouts, reports, memoranda, etc.)

3

The Compliance Program Guidelines provide Sponsors the flexibility to reflect the substance of meetings in either
formal minutes or in whatever documentation they choose. Where “minutes” are requested and your organization’s
minutes do not reflect the substance of the meeting, you may submit whatever minutes exist plus any other
documentation reasonably contemporaneous with the meeting that reflects the substance of the meeting (e.g. a
memorandum, an email, etc. ) in order to establish reasonable oversight.
4
See footnote 3.

Page 3 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
(c) With respect to Medicare compliance and FWA issues presented to the Board,
please provide documentation of the actions or decisions made to ensure the
issues are resolved.
(d) In addition to the meeting content, if there are other oversight activities
outside of Board meetings, please provide documentation.
8.

(Applicable to Element III and Oversight of FDRs) Provide a list of all general Medicare
compliance education provided to your employees volunteers, members of the governing
body, first-tier, downstream and related entities (FDRs) and/or others during the audit
period.
(a) Please include the date, topic, audience, and method of education.

9.

(Applicable to Element III and Oversight of FDRs) Provide a list of all Medicare FWA
training provided to your employees volunteers, members of the governing body, FDRs
and/or others during the audit period.
(a) Please include the date, topic, audience, and method of education.

10.

(Applicable to Oversight of FDRs) Provide a brief statement explaining the mechanism
used to provide FWA training to FDRs:
(a) Sponsor provided FWA training to FDRs, and/or
(b) Sponsor provided FWA training materials to FDRs, and/or
(c) FWA training provided to FDRs by some other means (please specify)

11.

(Applicable to Element III) Provide a description, including examples, of how it was
determined that training and education were effective in reducing compliance and FWA
risks.

12.

(Applicable to Element IV and Oversight of FDRs) Provide evidence that you have
provided reporting mechanisms for employees, FDRs, and enrollees (e.g. hotline
number).

13.

(Applicable to Element IV) Provide a brief description of the mechanism used to
communicate information and regulatory changes from the compliance officer to others
(e.g. employees, FDRs).

14.

(Applicable to Element IV) Provide a list of all HPMS Memos received during the audit
period indicating the following:

Page 4 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
(a) HPMS memo date
(b) Date compliance department disseminated to Medicare C/D business owner
(c) Identify Medicare C/D business area/owner responsible for implementing
policy changes/updates in HPMS memo
15.

(Applicable to Elements II, IV, VII and Oversight of FDRs) Provide a list of all reports of
program non-compliance and/or suspected FWA received during the audit period
including, but not limited to all hotline calls received. Please provide the following
information regarding each report:
(a) Case number or reference ID number;
(b) Source of the report (e.g. employee, FDR, enrollee);
(c) How issue as reported (e.g. hotline, in-person, manager, website);
(d) Date issue was reported;
(e) Description of issue;
(f) Date of resolution (if not received, please note); and
(g) How issue was resolved.

16.

(Applicable to Element V) Identify the location of your disciplinary policies and
procedures - Do not provide copies of the text of the disciplinary policies.
(a) Title and where located (e.g located in Standards of Conduct at page(s) ___,
Policy No. ___ titled ______, etc.)

17.

(Applicable to Element V) Provide a few examples of the mechanisms used to publicize
disciplinary standards for employees and FDRs.

18.

(Applicable to Element V) Provide a list of all employees who have been identified as
having engaged in unethical, non-compliant or illegal conduct or who otherwise violated
standards of conduct for noncompliance with Medicare requirements and/or participated
in incidents of FWA, including the following:
(a) Case number or reference ID number;
(b) Title and operational area of employee;
(c) Source of the report (e.g. employee, FDR, enrollee)
(d) How issue was reported (e.g. hotline, in-person)
Page 5 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
(e) Date violation was reported;
(f) Description of violation;Date of disciplinary action; and
(g) Description of the disciplinary action taken (if none taken, please note)
19.

(Applicable to Element V) Describe how the Sponsor determines that disciplinary
policies and disciplinary actions are applied consistently.

20.

(Applicable to Element VI) Provide all formal risk assessments by which you identified
compliance and potential FWA risks with respect to Medicare Part C and/or Part D
programs during the audit period.

21.

(Applicable to Element VI) Provide all audit and monitoring work plans in effect at any
time during the audit period applicable to the Medicare Part C and/or Part D programs.

22.

(Applicable to Element VI and FDR Oversight) Provide a current list of all systems
and/or mechanisms used to conduct internal monitoring, auditing, and tracking Medicare
compliance and potential FWA issues in the following areas:
(a) Medicare Part C and/or operational areas; and
(b) FDR/delegation oversight.

23.

(Applicable to Element VI) Provide a list of all monitoring activities conducted during
the audit period in the following areas: formulary administration, Part C and D claims
payment, Part C organization determinations, appeals and grievances, Part D coverage
determination, appeals, and grievances, agents/brokers, enrollment/disenrollment, LEPs,
compliance program credentialing/re-credentialing and human resources (e.g., hiring).
State whether one or more deficiencies were found.

24.

(Applicable to Element VI) Provide a list of all auditing activities conducted during the
audit period in the following areas: formulary administration, Part C and D claims
payment, Part C organization determinations, appeals and grievances, Part D coverage
determination, appeals, and grievances, agents/brokers, enrollment/disenrollment, LEPs,
compliance program credentialing/re-credentialing and human resources (e.g., hiring)
and, as to each, state whether one or more deficiencies were found. Also, indicate which
activities were conducted by external auditors.

25.

(Applicable to Element VI) Provide a description, including examples, of how it was
determined that internal auditing and monitoring activities were effective in reducing
compliance and FWA risks.

Page 6 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
26.

(Applicable to FDR Oversight) Provide a current list of the names and functional
responsibilities of all of your first-tier entities.

27.

(Applicable to FDR Oversight) Please identify all first tier entities that you audited
during the audit period, together with the dates on which the auditing occurred. Please
state if each first tier entity audited is deemed or non-deemed for purposes of FWA
training.
(a) If you did not audit all of your first tier entities during the audit period, please
describe how your organization selected those that were audited.

28.

(Applicable to Element VI) Please list the name, job title and department of all persons
who conducted internal auditing of your Medicare Parts C and/or D operational areas
during the audit period and specify the operational area that each person audited.

29.

(Applicable to Element VI) Did you conduct an audit of the effectiveness of the Medicare
compliance program during the audit period? (Yes or No) If yes, please provide the
following:
(a) State who conducted the audit,
(b) Date audit conducted
(c) Provide the audit report or analysis. and the date when it was conducted and
please provide the audit report.

30.

(Applicable to Elements VI and VII) Provide a description, including examples, of
specific monitoring activities performed during the audit period to prevent and detect
FWA (e.g. data analysis)

31.

(Applicable to Elements II and VII) To the extent not identified in response to Request
No. 15 above, provide a current list of all incidents of non-compliance identified by any
source (e.g. auditing, monitoring, self-evaluation). Please include the following
information:
(a) Date incident detected;
(b) Method and/or source by which incident detected;
(c) Nature of the incident;
(d) Operational area affected.

32.

(Applicable to Elements II and VII) To the extent not identified in response to Request
No. 15 above, provide a current list of all potential incidents of FWA identified by any

Page 7 of 8

(ATTACHMENT III)

Compliance Program Data and Document Requests
2013 Compliance Program Audit Protocols
source (e.g. auditing, monitoring, self-evaluation). Please include the following
information:
(a) Date incident detected;
(b) Method and/or source by which incident detected;
(c) Nature of the incident detected;
(d) Operation area affected;
(e) Geographic area where incident occurred (by county), particularly noting
whether the investigation occurred in any of the following counties: Broward
(FL), Harris (TX), Kings (NY), Los Angeles (CA), Miami Dade (FL); Baton
Rouge Parish (LA); Wayne (MI); Houston (TX); Dallas (TX); Pinellas (FL);
Cook (IL).

Page 8 of 8