Download:
pdf |
pdfPart C and D Compliance
Program Effectiveness (CPE)
Program Area
AUDIT PROCESS AND DATA REQUEST
Expires: TBD
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Table of Contents
Audit Purpose and General Guidelines............................................................................................................ 3
Universe Preparation & Submission ................................................................................................................ 5
Tracer Evaluation............................................................................................................................................. 7
Audit Elements ................................................................................................................................................ 9
I. Prevention Controls and Activities .............................................................................................................. 9
II. Detection Controls and Activities ............................................................................................................. 10
III. Correction Controls and Activities .......................................................................................................... 11
Appendix ....................................................................................................................................................... 12
Appendix A—Compliance Program Effectiveness (CPE) Record Layouts.............................................. 12
Table 1: First-Tier Entity Auditing and Monitoring (FTEAM) Record Layout .................................... 12
Table 2: Employees and Compliance Team (ECT) Record Layout ...................................................... 17
Table 3: Internal Auditing (IA) Record Layout..................................................................................... 19
Table 4: Internal Monitoring (IM) Record Layouts .............................................................................. 23
Page 2 of 25
v.10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Audit Purpose and General Guidelines
1. Purpose: To evaluate the sponsor’s performance with adopting and implementing an effective
compliance program to prevent, detect and correct Medicare Parts C or D program noncompliance and fraud, waste and abuse (FWA) in a timely and well-documented manner. The Centers
for Medicare and Medicaid Services (CMS) will perform its audit activities using these instructions
(unless otherwise noted).
2. Review Period: The review period for the Compliance Program Effectiveness (CPE) audits is 1 year
preceding and including the date of the audit engagement letter (prior Month, Day, Year through audit
engagement letter Month, Day, and Year).
3. Responding to Documentation Requests: The sponsor is expected to present its supporting
documentation during the audit and take screen shots or otherwise upload the supporting
documentation, as requested, to the secure site using the designated naming convention and
within the timeframe specified by the CMS Audit Team. . The screenshots must be provided
to CMS via a Microsoft® Word or PDF document.
4. Sponsor Disclosed Issues: Sponsors will be asked to provide a list of all disclosed issues of noncompliance that are relevant to the program areas being audited and may be detected during the audit.
A disclosed issue is one that has been reported to CMS prior to the receipt of the audit start notice
(which is also known as the “engagement letter”). Issues identified by CMS through on-going
monitoring or other account management/oversight activities during the plan year are not considered
disclosed.
Sponsors must provide a description of each disclosed issue as well as the status of correction and
remediation using the Pre-Audit Issue Summary template. This template is due within 5 business days
after the receipt of the audit start notice. The sponsor’s Account Manager will review the summary to
validate that “disclosed” issues were known to CMS prior to receipt of the audit start notice.
When CMS determines that a disclosed issue was promptly identified, corrected (or is actively
undergoing correction), and the risk to beneficiaries has been mitigated, CMS will not apply the ICAR
condition classification to that condition.
NOTE: For CPE, CMS wants a list of all disclosed issues relating to a sponsor’s compliance program,
not issues discovered during compliance activities (such as routine monitoring or auditing). For
example: the sponsor disclosed an issue to CMS that during the audit review period the SIU failed to
comply with a number of requests for additional information from the MEDIC and enforcement
agencies.
5. Calculation of Score: CMS will determine if each condition cited is an Observation (0 points),
Corrective Action Required (CAR) (1 point) or an Immediate Corrective Action Required (ICAR)
(2 points). Invalid Data Submissions (IDS) conditions will be cited when a sponsor is not able to
produce an accurate universe within 3 attempts. IDS conditions will be worth one point.
CMS will then add the score for that audit element to the scores for the remainder of the audit elements
in a given protocol and then divide that number (i.e., total score), by the number of audit elements tested
to determine the sponsor’s overall CPE audit score. Some elements and program areas may not apply
to certain sponsors and therefore will not be considered when calculating
Page 3 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
program area and overall audit scores. Observations will be recorded in the draft and final reports,
but will not be scored and therefore will not be included in the program area and audit scores.
6. Informing Sponsor of Results: CMS will provide daily updates regarding conditions discovered
that day (unless the tracer has been pended for further review). CMS will provide a preliminary
summary of the conditions at the exit conference. The CMS Audit team will do its best to be as
transparent and timely as possible in its communication of audit findings. Sponsors will also
receive a draft audit report which they may formally comment on and then a final report will be
issued after consideration of a sponsor’s comments on the draft.
Page 4 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Universe Preparation & Submission
1. Responding to Universe Requests: The sponsor is expected to provide accurate and timely
universe submissions within 15 business days of the engagement letter date. CMS may request
a revised universe if data issues are identified. The resubmission request may occur before
and/or after the entrance conference depending on when the issue was identified. Sponsors will
have a maximum of 3 attempts to provide complete and accurate universes, whether these
attempts all occur prior to the entrance conference or they include submissions prior to and
after the entrance conference. However, 3 attempts may not always be feasible depending on
when the data issues are identified and the potential for impact to the audit schedule. When
multiple attempts are made, CMS will only use the last universe submitted.
If the sponsor fails to provide accurate and timely universe submissions twice, CMS will document
this as an observation in the sponsor’s program audit report. After the third failed attempt, or when
the sponsor determines after fewer attempts that they are unable to provide an accurate universe
within the timeframe specified during the audit, the sponsor will be cited an Invalid Data Submission
(IDS) condition relative to each element that cannot be tested, grouped by the type of case.
2. Pull Universes and Submit Documentation: The universes and documentation collected for
this program area test the sponsor’s performance in compliance program effectiveness.
Sponsors will provide universes and supporting documentation that describe the framework
and operation of its compliance program and universes to support the implementation of
compliance activities conducted within the audit period.
2.1. Documentation: Sponsors should submit the following documentation in either a
Microsoft Word (.docx), Microsoft Excel (.xlsx) or Portable Document File (PDF).
•
•
•
•
•
•
•
•
•
Completed CPE Self-Assessment Questionnaire (Attachment I-A)
Completed Compliance Officer Questionnaire (Attachment I-B)
Customized Organizational Structure and Governance PowerPoint Presentation (Attachment
I-C)
Completed First-Tier Downstream and Related Entities (FDR) Operations Questionnaire
(Attachment I-D)
Completed Special Investigation Unit (SIU)/FWA Prevention and Detection Questionnaire
(Attachment I-E)
Standards of Conduct/Code of Conduct document (distributed to employees and
FDRs during the audit review period)
Corporate Compliance/Medicare Compliance/FWA Plan (or similar document in
effect during the audit review period)
Formal Risk Assessments and Compliance Performance Mechanisms that show
the extent to which Medicare Parts C and/or D operational areas and FWA risks
were identified and compliance goals were monitored during the audit review
period
Audit and Monitoring Work Plans (for internal operations and FDRs, in effect at any
time during the audit review period)
2.2. Data Universes: Universes should be compiled using the appropriate record layouts as
described in Appendix A. These record layouts include:
Page 5 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
•
•
•
•
First-Tier Entity Auditing and Monitoring (FTEAM)
Employee and Compliance Team (ECT)
Internal Auditing (IA)
Internal Monitoring (IM)
NOTE:
• For each respective universe, the sponsor should include all items that match the description
for that universe for all contracts and PBPs in its organization as identified in the audit
engagement letter.
• For each respective universe, the sponsor should include compliance and FWA activities.
• Please refer to Section 40 of the Medicare Parts C and D Compliance Program Guidelines for
definitions, flowcharts and guidance on relationships between sponsor and first-tier entities.
• Please refer to Section 50.6 of the Medicare Parts C and D Compliance Program Guidelines
for definitions and guidance for routine internal auditing and monitoring requirements and
expectations.
• Please refer to Sections 50.6.9 and 50.6.10 for guidance on fraud, waste and abuse monitoring
activities and SIU operations.
3. Submit Universes to CMS: Sponsors should submit each data universe in the Microsoft
Excel (.xlsx) or Comma Separated Values (.csv) file format with a header row (or Text (.txt)
file format without a header row) following the record layouts shown in Appendix A (Tables
1-4). The sponsor should submit its universes in whole and not separately for each contract
and PBP. The sponsor should submit all documentation with its universes.
Page 6 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Tracer Evaluation
1. Sample Selection: In order to be effective, a sponsor’s compliance program must be fully
implemented and tailored to the sponsor’s unique organization, operations, and circumstances.
CMS will use a tracer method to evaluate implementation of applicable compliance elements
and determine whether the sponsor’s compliance program, as a whole system, functions in a
way that is effective to address compliance and FWA issues in a timely and well-documented
manner. CMS will select a sample of six (6) cases from the universes to trace the sponsor’s
response to compliance issues. It is not required that each case in the sample will cover all
elements of a compliance program.
For example, a case pulled from the Internal Monitoring (IM) universe may involve a quality
monitoring activity performed by a sponsor’s quality improvement (QI) department to review
and analyze untimely grievances. This activity identified compliance issues that involved
additional training and education, communication with involved parties and revisions to
processes, and other actions to correct and prevent the issue from recurring in the future.
However, after a thorough root cause analysis was completed, the QI department and
Compliance Officer determined the issues were isolated with limited beneficiary impact which
required engagement by the Compliance Committee but not escalation to senior management
or the governing body. While this case touched many of the seven elements of an effective
compliance program, due to the detected issues having minimum impact on the Medicare
business it was not necessary for the sponsor to implement all of the core requirements and
actions identified in Compliance Program Elements I, II, and V.
2. Tracer Case Summary and Documentation Reviews:
2.1. Tracer Case Summary: For each selected case, sponsors should prepare a written document
that provides the specific facts, rationales, and decisions and describe how suspected, detected or
reported compliance issues are investigated and resolved by the sponsor in chronological order.
The sponsor should ensure each tracer summary, at a minimum, addresses the following points:
•
•
•
•
•
•
•
•
•
Overview of the issue(s) or activity
Indicate which compliance and business operations units were involved in detecting and
correcting the issue(s)
Detailed explanation of the issue(s)/ activity (e.g., what the sponsor found, when the sponsor
first learned about the issue, and who or which personnel/operational area(s) were involved.)
Root cause analysis that determined what caused or allowed the compliance issue, problem or
deficiency to occur
Specific actions taken in response to the detected issue(s)/activity
Processes and procedures affected and revised in response to becoming aware of the
issue(s)/activity
Steps taken to correct the issues/deficiencies at the sponsor or FDR levels, including a
timeline indicating the corrective actions fully implemented or, if not implemented, when the
sponsor expects the corrective action to be completed.
Issue escalation (e.g. senior management, compliance oversight committees, governing body,
etc.)
Communication within the sponsor and with its FDRs
Page 7 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
•
Prevention controls and safeguards implemented in response to the issue(s)/activity
Sponsors must document the facts of each tracer summary using the most effective and efficient
method for their business. While the method used frequently by sponsors for tracer summaries are
PowerPoint presentations (PPTs), sponsors may use other communication tools such as MS Word,
story boards, and/or dashboards. A total of 6 tracer summaries must be submitted to CMS.
2.2. Supporting Documentation: During the onsite portion of the audit, CMS will review the
summaries and supporting documentation during the tracer reviews with the sponsor to
determine if applicable audit elements were effectively met. The sponsor will need access and
provide screenshots only for the documents and data that are relevant to a particular case:
•
•
•
•
•
•
•
•
•
3.
Policies and procedures (Ps&Ps) reviewed and revised in response to detecting and correcting
compliance issues.
Evidence that compliance issues were communicated to the appropriate compliance
personnel, senior management and oversight entities.
Training provided in response to identifying and correcting compliance issues.
Evidence of communication to the affected or involved business areas regarding the
compliance issues.
Evidence of the monitoring/auditing activities that occurred as a result of the detected issues.
Evidence of sponsor’s monthly screening to identify employees and FDRs excluded by the
Office of Inspector General (OIG) and General Services Administration (GSA).
Evidence of appropriate accountability and oversight by the sponsor when issues are detected
at the FDR level, including response and correction procedures, communication, educational
requirements and engagement with compliance department, operational areas and any
oversight entities.
Evidence/explanation of the root cause analysis performed to determine why the issue
occurred.
Description of the beneficiary and/sponsor impact as a result of the detected compliance
issues.
Submit Tracer Documentation to CMS: Sponsors should be prepared to provide only the
supporting documentation that is specific for each tracer either by uploading to the Health Plan
Management System (HPMS) or providing onsite.
Page 8 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Audit Elements
I. Prevention Controls and Activities
This audit element evaluates the sponsor’s internal controls to reduce the number of potential noncompliance, FWA and regulatory violations from occurring within all Medicare business operational
areas by employees and delegated entities. These compliance controls provide the framework for which
the company and its employees operate, convey compliance expectations, prevent repeated issues from
recurring and deter minor issues from becoming significant problems with adverse impact to the
sponsor’s operations and Medicare beneficiaries.
1.
Apply Compliance Standard: CMS will evaluate cases through the tracer review against the
following criteria. CMS may review factors not specifically addressed in these questions if it is
determined that there are other related CPE requirements not being met. Also, since some cases may
not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor update and distribute their Standards of Conduct and Ps&Ps to their
employees/FDRs when appropriate and within required timeframes?
1.2. Did the sponsor’s compliance officer and compliance committee operate in accordance
with CMS requirements?
1.3. Did the sponsor demonstrate appropriate accountability and reporting of Medicare
compliance issues to appropriate senior management/executives and the governing body?
1.4. Did the sponsor have a governing body that exercises reasonable oversight of the Medicare
compliance program?
1.5. Did the sponsor establish and implement effective training and education to ensure its
employees, senior administrators and governing body members were aware of the
Medicare requirements related to the job function, compliance and FWA?
1.6. Did the sponsor implement an effective monitoring system to prevent FWA in the delivery
of Medicare Parts C and D benefits?
2. Tracer Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews while onsite to provide insight and additional information on the
sponsor’s compliance program. If CMS requirements are not met, conditions (findings) are
cited. If CMS requirements are met, no conditions (findings) are cited. NOTE: Cases and
conditions may have a one-to-one or a one-to-many relationship. For example, one case may be
associated with a single condition or multiple conditions of non-compliance.
Page 9 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
II. Detection Controls and Activities
This audit element evaluates the sponsor’s internal controls to monitors and detect potential and
suspected compliance issues and activities. These compliance controls identify opportunities for the
sponsor to improve the performance of Medicare business operational areas and the compliance
program.
1. Apply Compliance Standard: CMS will evaluate cases through the tracer review against the
following criteria. CMS may review factors not specifically addressed in these questions if it is
determined that there are other related CPE requirements not being met. Also, since some cases may
not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor implement a reporting system to receive, record, respond to, and track
compliance concerns, questions and reports of suspected or detected non-compliance and
FWA that allowed for anonymity and maintains confidentiality (e.g., telephone hotline)?
1.2. Did the sponsor implement a risk assessment that identified areas of concern and major
compliance risks for its Medicare business operational areas and beneficiaries?
1.3. Did the sponsor implement an effective system for monitoring and auditing its internal
Medicare Parts C and/or D operations and compliance program effectiveness?
1.4. Did the sponsor review the OIG and GSA exclusion systems, as required, to ensure that
none of their employees or FDRs were excluded or became excluded from participation in
federal programs?
1.5. Did the sponsor implement an effective monitoring system to detect and control FWA in
the delivery of Medicare Parts C and D benefits?
1.6. Did the sponsor properly monitor and audit its FDRs to ensure compliance with all
applicable laws, regulations and sub-regulatory interpretive guidance with respect to the
Medicare Parts C and/or D delegated functions and responsibilities?
1.7. Did the sponsor implement effective communication, monitoring and auditing controls for
detected issues involving its FDRs’ compliance performance?
2. Tracer Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews while onsite to provide insight and additional information on the
sponsor’s compliance program. If CMS requirements are not met, conditions (findings) are
cited. If CMS requirements are met, no conditions (findings) are cited. NOTE: Cases and
conditions may have a one-to-one or a one-to-many relationship. For example, one case may be
associated with a single condition or multiple conditions of non-compliance.
Page 10 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
III. Correction Controls and Activities
This audit element evaluates the sponsor’s escalation processes, timely response and appropriate actions
to correct the underlying problems after compliance issues and deficiencies are identified. These
compliance controls provide immediate and reasonable response to the detection of misconduct and
violations of the Medicare program.
1. Apply Compliance Standard: CMS will evaluate cases through the tracer review against the
following criteria. CMS may review factors not specifically addressed in these questions if it is
determined that there are other related CPE requirements not being met. Also, since some cases may
not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor undertake timely and reasonable corrective action in response to
compliance issues, incidents, investigations, complaints or misconduct involving Medicare
non-compliance or FWA?
1.2. Did the sponsor implement timely corrective actions for detected issues involving its FDRs’
compliance performance?
2. Tracer Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews while onsite to provide insight and additional information on the
sponsor’s compliance program. If CMS requirements are not met, conditions (findings) are
cited. If CMS requirements are met, no conditions (findings) are cited. NOTE: Cases and
conditions may have a one-to-one or a one-to-many relationship. For example, one case may be
associated with a single condition or multiple conditions of non-compliance.
Page 11 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Appendix
Appendix A—Compliance Program Effectiveness (CPE) Record Layouts
The universes for the Parts C & D Compliance Program Effectiveness (CPE) program area must be
submitted as a Microsoft Excel (.xlsx) or Comma Separated Values (.csv) files with a header row
reflecting the field names (or Text (.txt) file without a header row). Do not include the Column ID
variable which is shown in the record layout as a reference for a field’s column location in an Excel or
Comma Separated Values file. Do not include additional information outside of what is dictated in the
record layout. Submissions that do not strictly adhere to the record layout will be rejected.
Note: There is a maximum of 4000 characters per record row. Therefore, should additional characters be
needed for a variable (e.g., description of deficiencies), enter this information on the next record at the
appropriate start position.
Table 1: First-Tier Entity Auditing and Monitoring (FTEAM) Record Layout
• Include:
o First-tier entities (FTEs) that have entered into a written agreement with a sponsor to
provide administrative or health care services to Medicare enrollees under the Part C
and/or D program (e.g., PBM, claims processors, enrollment processes, fulfillment, call
centers, credentialing, independent provider groups that manage/oversee a network of
physicians).
o Compliance and FWA audit and monitoring activities of first-tier entities that were
conducted by the compliance department, operational areas and SIU to evaluate the
compliance performance of first-tier entities.
o Audit and monitoring activities performed during the audit review period to identify and
address potential or suspected non-compliance and FWA at the FDR level in the delivery
of Medicare Part C and/or D benefits.
o Audit and monitoring activities that reviewed reports from FDRs to detect noncompliance and FWA trends and abnormalities
o Audit and monitoring activities to investigate allegations of non-compliance and
fraudulent , wasteful, abusive or questionable behavior performed by FTEs (e.g.
employee misconduct, fraudulent provider or pharmacy claims, fraudulent FTE invoices,
misuse of Medicare beneficiary information, overpayments, complaints or tips received
through hotlines, referrals, members, MEDIC, law enforcement, etc.)
o Audit and monitoring activities initiated, started, re-opened or completed during the audit
review period. This includes auditing and monitoring activities that may have started
outside the audit review period, but were completed within the audit review period.
o Audit and monitoring activities that are performed on a scheduled basis (e.g., weekly,
monthly, quarterly, annually, ad-hoc), should be included in the universe each time it was
performed.
o Related entities acting as a first-tier entity to provide administrative or health care
services.
o Other audit or monitoring activities of downstream entities performed by the sponsor
during the audit review period.
• Exclude:
o First-tier entities that do not provide an administrative or health care service function
related to the sponsor’s Medicare Parts C and/or D contracts.
Page 12 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
o
o
o
Audit and monitoring activities that are performed on a daily basis.
First-tier entities that were not audited or monitored within the audit review period.
Downstream or related entities that were not audited/monitored by the sponsor during the
audit review period.
Column
ID
A
Field Name
Field Type
Name of FTE
B
FTE function and
responsibilities
CHAR Always
Required
CHAR Always
Required
C
FTE Contract Effective
Date
CHAR Always
Required
Field
Length
100
400
10
Description
Name of the first-tier entity (FTE) that
was audited or monitored.
Brief description of the administrative
or health care service function(s) and
responsibilities the FTE conducts on
behalf of the sponsor.
Effective date of the FTE contract
specific to the delegated Part C or Part
D functions or services being reviewed
or audited by the sponsor.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01).
Name of the sponsor’s component(s),
department(s) and/or operational
area(s) that work in part or whole with
the FTE.
Enter whether the activity was an
“audit” or a “monitoring” activity.
D
Component
CHAR Always
Required
100
E
Activity Type
CHAR Always
Required
10
F
Compliance or FWA?
CHAR Always
Required
10
Enter whether the activity was a
“compliance” or a “FWA” activity.
G
Activity Frequency
CHAR
Always
Required
10
H
Activity Rationale
CHAR Always
Required
200
I
Activity Description
CHAR Always
Required
400
Provide the frequency of the audit or
monitoring activity (e.g. weekly,
monthly, quarterly, annually, or adhoc).
Provide the rationale for conducting the
audit or monitoring activity (e.g.,
monitoring activity was implemented
because the function has an immediate
impact on members’ access to
immediate medical care and
prescription drugs).
Provide a description of the audit or
monitoring activity (e.g., operational
area, training requirements, timeliness,
accuracy of organization
determinations and notifications,
messaging errors, contractual
agreements, pharmacy or provider
claims, unannounced or onsite audits,
spot checks, compliance monitoring,
targeted or stratified sampling, audit
protocols).
Page 13 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
J
K
Field Name
Field Type
Activity Start Date
CHAR Always
Required
Activity Completion Date
CHAR
Always
Required
Field
Length
10
10
L
Identified Deficiencies
CHAR Always
Required
3
M
Number of Deficiencies
CHAR Always
Required
3
Description
Date that the specific audit or
monitoring activity was initiated,
started or reopened by the sponsor. For
example, if the sponsor started
monitoring a function of the PBM to
ensure it properly implemented its
transition policy for new beneficiaries
on January 1, 2017, that is the date that
would be used for the date the audit or
monitoring started.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01).
Date that the audit or monitoring
activity ended. For example, if the
sponsor completed monitoring a
function of the PBM to ensure it
properly implemented its transition
policy for new beneficiaries on January
31, 2017, that is the date that would be
used for the date the audit or
monitoring completed.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01). Answer TBD (To Be
Determined) if the audit or monitoring
activity is currently in progress.
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were
discovered during the audit or
monitoring activity. Answer TBD if
deficiencies have yet to be identified
for an ongoing activity.
Provide the number of deficiencies,
findings or issues identified.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
N
Description of
Deficiencies
CHAR Always
Required
1000
Provide a summary of deficiencies,
findings or issues identified during the
audit or monitoring activity. If the audit
or monitoring activity was identified in
the pre-audit issue summary submitted
to CMS, provide the issue number in
the description.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity
Page 14 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
O
Field Name
Field Type
Corrective Action
Required
CHAR Always
Required
Field
Length
200
Description
Yes (Y), No (N), or To Be Determined
(TBD) indicator of whether corrective
action was required for each
deficiency/issue identified.
Answer “Y” if every previously
described deficiency identified during
the audit or monitoring activity
required a corrective action. Answer
“N” if none of the previously described
deficiencies required a corrective
action. If some but not all of the
previously described deficiencies from
the audit or monitoring activity
required corrective action, specify
which deficiencies needed a corrective
action and separate by a number as
needed (e.g., 1. Part D coverage
determinations processed incorrectly –
Y, 2. Part D coverage determinations
Timeliness – N).
P
Corrective Action
Description
CHAR Always
Required
1000
Answer TBD if corrective actions have
yet to be determined for an ongoing
activity.
Provide a summary of the corrective
action(s) implemented by the sponsor
and FTE in response to the
noncompliance or potential FWA,
including any root cause, timeframes
for specific achievements and any
ramifications for failing to implement
the corrective action satisfactorily.
For an audit or monitoring activity that
identified multiple issues, separate the
corrective actions implemented for
each issue by a number as needed (e.g.,
1. employee coaching was completed
between 2017/02/01 and 2017/02/15
for the errors identified during the
2017/01/01 pharmacy mail order
monitoring activity, 2. member
remediation was conducted for 50
members that never received their
approved medication).
Answer TBD if corrective measures
have yet to be determine for an ongoing
activity. Answer N/A if corrective
action was not taken or determined
necessary by the sponsor for any of the
identified issues.
Page 15 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
Q
Field Name
Field Type
Activity Results Shared?
CHAR Always
Required
Field
Length
500
Description
Provide a summary that describes how
the results of the audit or monitoring
activity were communicated or shared
with sponsor’s affected components,
compliance department, senior
management, and/or the FTE.
Answer TBD if results have yet to be
determined and shared with others for
an ongoing activity.
Page 16 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Table 2: Employees and Compliance Team (ECT) Record Layout
• Include: all current employees of the sponsor (permanent, temporary, full-time, part-time)
including: senior management, volunteers (e.g., unpaid interns) who have job duties related to the
sponsor’s Medicare Advantage (Part C) and/or Prescription Drug (Part D) business, and members
of the governing body (i.e. Board of Directors) responsible for oversight of the Medicare program
who worked/served at any time during the audit review period.
• Exclude: individuals that have left the sponsor, terminated, resigned or do not work on the
Medicare Parts C and/or D line of business as of the date of the audit engagement letter.
Column
ID
A
Field Name
Field Type
Employee ID
B
Employee First Name
C
Employee Last Name
D
Employee’s Title
E
Employee’s
Organizational
Component
Physical Location
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
F
G
Date of Hire or
Appointment
H
Employee Type
I
Medicare Compliance
Department Employee?
J
Compliance Department
Job Description
Field
Length
15
Description
50
First name of the employee or governing body
member.
50
Last name of the employee or governing body
member.
50
Position or title of the employee or governing
body member.
50
Component or department in which the
employee works (e.g., appeals, marketing,
customer service)
Geographical or office location of the
employee (e.g., Baltimore, MD. Central
Headquarters)
Enter the employee’s start date with the
sponsor or governing body member
appointment. Submit in CCYY/MM/DD format
(e.g., 1940/01/01).
100
10
CHAR
Always
Required
CHAR
Always
Required
20
CHAR
Always
Required
1500
1
Internal employee ID assigned by the sponsor.
Answer N/A if no employee ID was assigned.
Indicate whether the individual is a governing
body member, full-time employee, part-time
employee, temporary employee, or a volunteer.
Yes(Y)/No (N) indicator of whether the
employee works for the Medicare Compliance
Department.
Briefly describe the job duties (e.g., internal
audit, training, privacy, SIU) of the employee
who works for the Compliance Department.
Please also provide the length of time they
have held that position.
Answer N/A if the employee does not work for
or support the Compliance Department.
Page 17 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
K
Field Name
Field Type
Compliance Committee
Member?
CHAR
Always
Required
L
Compliance Committee
Member’s Role
CHAR
Always
Required
Field
Length
3
1500
Description
Yes(Y) or No (N) indicator of whether the
employee or governing body member
participates on a compliance committee that
addresses Medicare compliance issues (e.g.
corporate compliance committee, compliance
and audit committee of the board, committee
that focuses on the compliance of FDRs.
Provide a summary of the role and/or expertise
each employee brings as a member of the
compliance committee (e.g., Manager of
appeals & grievances responsible for
addressing Part C appeals and grievance issues
and concerns that severely impact enrollees and
developing corrective action plans for the
affected internal departments and FDRs.)
Answer N/A if employee is not a member of
the compliance committee.
Page 18 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Table 3: Internal Auditing (IA) Record Layout
• Include:
o Compliance and fraud, waste and abuse (FWA) audit activities (formal review of
compliance with a particular set of standards as base measures) performed by the sponsor
to ensure that its internal business and/or operational areas are in compliance with
Medicare Parts C and D program requirements and to ensure that corrective actions are
undertaken timely and effectively.
o Audit activities performed during the audit review period to identify and address potential
or suspected non-compliance and FWA at the sponsor level in the delivery of Medicare
Part C and/or D benefits.
o Audit activities that reviewed reports from internal operational areas to detect noncompliance and FWA trends and abnormalities.
o Audit activities to investigate allegations of non-compliance and fraudulent ,wasteful,
abusive or questionable behavior performed by employees and board members involved
in administering or overseeing the sponsor’s Medicare Part C and/or D operations (e.g.
employee misconduct, internal operations, fraudulent provider or pharmacy claims,
fraudulent FTE invoices, misuse of Medicare beneficiary information, overpayments,
complaints or tips received through hotlines, referrals, members, MEDIC, law
enforcement, etc.)
o Audit activities initiated, started, re-opened or completed during the audit review period.
This includes audit activities that started prior to the audit review period, but were
completed within the audit period and activities that were started during the audit review
period but not yet completed.
o Audit activities that are performed on a scheduled basis (e.g., monthly, quarterly,
annually, ad-hoc), should be included in the universe each time it was performed.
• Exclude:
o Audit activities for non-Medicare lines of business (e.g., commercial, Medicaid) and
audit activities performed for first-tier entities during the audit review period.
o Audit activities that are performed on a daily basis.
Column
ID
Field Name
Field Type
Field
Length
Description
A
Component
100
B
Component
Responsibilities
C
Auditor Type
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
Name of the sponsor’s component,
department or operational area that was
audited.
Brief description of what responsibilities
the component, department or operational
area conducts on behalf of the sponsor.
Indicate who was responsible for
conducting the audit activity (e.g.,
compliance officer, internal audit
department, appeals & grievances
staff/manager, external audit firm).
For internal staff, provide the name(s) of
staff/department involved with
conducting the audit activity. For external
audit firms, provide the name(s) of the
firm/company.
Page 19 of 27
400
100
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
Field Name
Field Type
Field
Length
Description
D
Compliance or FWA?
10
Enter whether the activity was a
“compliance” or a “FWA” activity.
E
Audit Frequency
10
F
Audit Rationale
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
G
Audit Description
CHAR
Always
Required
400
H
Audit Start Date
CHAR
Always
Required
10
Provide the frequency of the audit
activity (e.g. weekly, monthly, quarterly,
annually, or ad-hoc).
Provide the rationale for conducting the
audit activity (e.g., audit activity was
implemented because the function has an
immediate impact on members’ access to
immediate medical care and prescription
drugs).
Provide a description of the audit activity
(e.g., operational area, training
requirements, timeliness, accuracy of
organization determinations and
notifications, messaging errors,
contractual agreements, unannounced or
onsite audits, spot checks, compliance
monitoring, targeted or stratified
sampling, audit protocols).
Date that the specific audit activity was
initiated, started or reopened. For
example, if the sponsor started an audit of
the appeals process/function within the
sponsor on January 1, 2017, that is the
date that would be used for the date the
audit started.
I
J
Audit Completion Date
Identified Deficiencies
Page 20 of 27
CHAR
Always
Required
CHAR
Always
Required
200
10
3
Submit in CCYY/MM/DD format (e.g.,
2017/01/01).
Date that the specific audit activity ended.
For example, if the sponsor ended an
audit of the appeals process/function
within the sponsor on January 31, 2017,
that is the date that would be used for the
date the audit ended.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01). Answer TBD (To Be
Determined) if the audit activity is
currently in progress.
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were discovered
during the audit activity. Answer TBD if
deficiencies have yet to be identified for
an ongoing activity.
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
Field Name
Field Type
Field
Length
Description
K
Number of Deficiencies
CHAR
Always
Required
3
Provide the number of deficiencies,
findings or issues identified.
L
Description of
Deficiencies
M
Corrective Action
Required
CHAR
Always
Required
CHAR
1000
200
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Provide a summary of all deficiencies,
findings or issues identified during the
audit activity. If the audit was identified
in the pre-audit issue summary submitted
to CMS, please include the issue number.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether corrective
action is required for each
deficiency/issue identified.
Answer “Y” if every previously described
deficiency identified during the audit
activity required a corrective action.
Answer “N” if none of the previously
described deficiencies required a
corrective action. If some but not all of
the previously described deficiencies
from the audit activity required corrective
action, specify which deficiencies needed
a corrective action and separate by a
number as needed (e.g., 1. Part D
coverage determinations processed
incorrectly – Y, 2. Part D coverage
determinations Timeliness – N).
Answer TBD if corrective actions have
yet to be determined for an ongoing
activity.
Page 21 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column
ID
Field Name
Field Type
Field
Length
Description
N
Corrective Action
Description
CHAR
Always
Required
1000
Provide a summary of the corrective
action(s) implemented by the sponsor in
response to the noncompliance or
potential FWA, including any root cause
analysis, timeframes for specific
achievements and any ramifications for
failing to implement the corrective action
satisfactorily.
For an audit activity that identifies
multiple issues, separate the corrective
actions implemented for each issue by a
number as needed (e.g., 1. employee
coaching was completed between
2017/02/01 and 2017/02/15 for the errors
identified during the 2017/01/01
pharmacy mail order audit activity, 2.
member remediation was conducted for
50 members that never received their
approved medication).
O
Audit Results Shared?
CHAR
Always
Required
500
Answer TBD if corrective measures have
yet to be determine for an ongoing
activity. Answer N/A if corrective action
was not taken or determined necessary by
the sponsor for any of the identified
issues.
Provide a summary that describes how
the results of the audit activity were
communicated or shared with sponsor’s
affected components, compliance
department, senior management, and/or
the FTE.
Answer TBD if results have yet to be
determined and shared with others for an
ongoing activity.
Page 22 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Table 4: Internal Monitoring (IM) Record Layouts
• Include:
o Compliance and fraud, waste and abuse (FWA) monitoring activities (routine, scheduled
and ad-hoc reviews as part of normal operations) performed by the sponsor to test and
confirm internal business and/or operational areas are in compliance with Medicare Parts
C and/or Part D program requirements and to ensure that corrective actions are
undertaken timely and effectively.
o Monitoring activities performed during the audit review period to identify and address
potential or suspected non-compliance and FWA at the sponsor level in the delivery of
Medicare Part C and/or D benefits.
o Monitoring activities that reviewed reports from internal operational areas to detect noncompliance and FWA trends and abnormalities.
o Monitoring activities to investigate allegations of non-compliance and fraudulent,
wasteful, abusive or questionable behavior performed by employees and board members
involved in administering or overseeing the sponsor’s Medicare Part C and/or D
operations (e.g. employee misconduct, internal operations, fraudulent provider or
pharmacy claims, fraudulent FTE invoices, misuse of Medicare beneficiary information,
overpayments, complaints or tips received through hotlines, referrals, members, MEDIC,
law enforcement, etc.)
o All monitoring activities initiated, started, re-opened or completed during the audit
review period. This includes monitoring activities that started prior to the audit review
period, but were completed within the audit review period and activities that were started
during the audit review period but not yet completed.
o For monitoring activities that are performed on a scheduled basis (e.g., weekly monthly,
quarterly, annually, ad-hoc), it should be included in the universe each time it was
performed.
•
Exclude:
o Monitoring activities for non-Medicare lines of business (e.g., commercial,
Medicaid).and monitoring activities performed for first-tier entities during the audit
review period.
o Monitoring activities that are performed on a daily basis.
Column ID
Field Name
A
Component
B
Component
Responsibilities
Page 23 of 27
Field
Type
CHAR
Always
Required
CHAR
Always
Required
Field
Length
100
400
Description
Name of the sponsor’s component,
department or operational area that was
monitored.
Brief description of what responsibilities
the component, department or
operational area conducts on behalf of
the sponsor.
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column ID
Field Name
Field
Type
CHAR
Always
Required
Field
Length
100
C
Monitor Type
D
Compliance or FWA?
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
10
E
Monitoring Frequency
F
Monitoring Rationale
G
Monitoring Description
CHAR
Always
Required
400
H
Monitoring Start Date
CHAR
Always
Required
10
10
200
Description
Indicate who was responsible for
conducting the monitoring activity (e.g.,
compliance officer, internal audit
department, appeals & grievances
staff/manager, external audit firm).
For internal staff, provide the name(s) of
staff/department involved with
conducting the monitoring activity. For
external firms, provide the name(s) of
the firm/company.
Enter whether the activity was a
“compliance” or a “FWA” activity.
Provide the frequency of the monitoring
activity (e.g. weekly, monthly, quarterly,
annually, or ad-hoc).
Provide the rationale for conducting the
monitoring activity (e.g., monitoring
activity was implemented because the
function has an immediate impact on
members’ access to immediate medical
care and prescription drugs).
Provide a description of the monitoring
activity (e.g., operational area, training
requirements, timeliness, accuracy of
organization determinations and
notifications, messaging errors,
contractual agreements, unannounced or
onsite audits, spot checks, compliance
monitoring, targeted or stratified
sampling, audit protocols).
Date that the specific monitoring
activity was initiated, started or
reopened. For example, if the sponsor
started monitoring of the appeals
process/function within the sponsor on
January 1, 2017, that is the date that
would be used for the date the
monitoring started.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01).
Page 24 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column ID
Field Name
I
Monitoring Completion
Date
Field
Type
CHAR
Always
Required
Field
Length
10
J
Identified Deficiencies
CHAR
Always
Required
3
K
Number of Deficiencies
CHAR
Always
Required
3
L
Description of
Deficiencies
CHAR
Always
Required
1000
Description
Date that the specific monitoring
activity ended. For example, if the
sponsor ended monitoring of the appeals
process/function within the sponsor on
January 31, 2017, that is the date that
would be used for the date the
monitoring ended.
Submit in CCYY/MM/DD format (e.g.,
2017/01/01). Answer TBD (To Be
Determined) if the monitoring activity is
currently in progress.
Yes(Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were discovered
during the monitoring activity. Answer
TBD if deficiencies have yet to be
identified for an ongoing activity.
Provide the number of deficiencies,
findings or issues identified.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Provide a summary of all deficiencies,
findings or issues identified during the
monitoring activity. If the monitoring
activity is identified in the pre-audit
issue summary submitted to CMS,
please include the issue number.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Page 25 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column ID
Field Name
M
Corrective Action
Required
Field
Type
CHAR
Always
Required
Field
Length
200
Description
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether corrective
action is required for each
deficiency/issue identified. Answer
TBD if corrective actions have yet to be
determined for an ongoing activity.
Answer “Y” if every previously
described deficiency identified during
the monitoring activity required a
corrective action. Answer “N” if none of
the previously described deficiencies
required a corrective action. If some but
not all of the previously described
deficiencies from the monitoring
activity required corrective action,
specify which deficiencies needed a
corrective action and separate by a
number as needed (e.g., 1. Part D
coverage determinations processed
incorrectly – Y, 2. Part D coverage
determinations Timeliness – N).
Answer TBD if corrective actions have
yet to be identified for an ongoing
activity.
Page 26 of 27
v. 10-2016
Parts C and D Compliance Program Effectiveness (CPE)
AUDIT PROCESS AND DATA REQUEST
Column ID
Field Name
N
Corrective Action
Description
Field
Type
CHAR
Always
Required
Field
Length
1000
Description
Provide a summary of the corrective
action(s) implemented by the sponsor in
response to the noncompliance or
potential FWA, including any root cause
analysis, timeframes for specific
achievements and any ramifications for
failing to implement the corrective
action satisfactorily.
For a monitoring activity that identifies
multiple issues, separate the corrective
actions implemented for each issue by a
number as needed (e.g., 1. employee
coaching was completed between
2017/02/01 and 2017/02/15 for the
errors identified during the 2017/01/01,
pharmacy mail order monitoring
activity, 2. member remediation was
conducted for 50 members that never
received their approved medication).
Answer TBD if corrective measures
have yet to be determine for an ongoing
activity.
O
Monitoring Results
Shared?
CHAR
Always
Required
500
Answer N/A if corrective action was not
taken or determined necessary by the
sponsor for any of the identified issues.
Provide a summary that describes how
the results of the monitoring activity
were communicated or shared with
sponsor’s affected components,
compliance department, senior
management and/or the FTE.
Answer TBD if results have yet to be
determined and shared with others for
an ongoing activity.
Page 27 of 27
v. 10-2016
File Type | application/pdf |
File Title | Part C and D Compliance Program Effectiveness (CPE) Program Area |
Subject | AUDIT PROCESS AND DATA REQUEST |
Author | Centers for Medicare and Medicaid Services |
File Modified | 2016-12-06 |
File Created | 2016-10-11 |