CMS-10717 CPE Compliance Officer Questionnaire

Program Audit Data Request
Compliance Program Effectiveness (CPE)
Compliance Officer Questionnaire (CO-Q)

Name of Sponsoring Organization:
Enter your response here
Contract Numbers:
Enter your response here
Name and Title of Person Completing Questionnaire:
Enter your response here
Date Completed:
Select date
This questionnaire will assist CMS with understanding the Sponsoring organization’s
mechanisms for overseeing the performance and effectiveness of the compliance program from
the compliance officer’s perspective.
Please upload the completed form to HPMS within 15 business days of receiving your audit
engagement letter.
We recognize that your time is valuable and appreciate your availability to provide responses to
our questions regarding the compliance program. The responses to these questions may be
discussed during the CPE audit.
Please specifically note the following when completing the questionnaire:
•
•
•
•
•
•

•

•

“You”, “your” refers to your organization, not necessarily a specific person.
“Employees” refer to employees, including senior management, who support your Medicare
business.
“Compliance Officer” refers to the compliance officer who oversees the Medicare business.
“CEO” refers to the Chief Executive Officer of the organization or the most senior officer,
usually the President or Senior Vice President of the Medicare line of business.
“Compliance Program” refers to your Medicare compliance program.
If the Medicare contract holder is a wholly owned subsidiary of a parent company, references
to the governing body, CEO, and highest level of the organization’s management are to the
board, CEO and management of the company (parent or subsidiary/contract holder) that the
organization has chosen to oversee its Medicare compliance program.
“First Tier Entity” refers to any party that enters into a written agreement, acceptable to
CMS, with an organization to provide administrative services or health care services to a
Medicare eligible individual under the Part C and/or Part D program.
“Downstream Entity” refers to any party that enters into a written agreement, acceptable to
CMS, with persons or entities involved with the Medicare Part C and/or Part D benefits
below the level of the arrangement between an organization and a first tier entity. These
written agreements continue down to the level of the ultimate provider of both health and
administrative services.

Page 1 of 5

v.05-2020

Program Audit Data Request
Compliance Program Effectiveness (CPE)
Compliance Officer Questionnaire (CO-Q)

•

•

“Related Entity” refers to any entity that is related to an organization by common ownership
or control, and
o performs some of an organization’s management functions under contract or delegation,
o furnishes services to Medicare enrollees under an oral or written agreement, or
o Leases real property or sells materials to the organization at a cost of more than $2,500
during a contract period.
Unless specific reference is made in the question to the term “governing body”, it means
either the full board of directors or a committee of the board of directors delegated to
conduct oversight of the day-to-day operation of the Medicare compliance program on behalf
of the full governing body.

1. How long have you been employed with the Sponsoring organization and served as the

Medicare Compliance Officer?
Enter your response here
2. Provide a general overview of your responsibilities as the Compliance Officer.

Enter your response here
3. Do you have any other responsibilities in addition to being the Compliance Officer for

this Sponsoring organization? If yes, please describe those positions and responsibilities.
Enter your response here
4. What resources do you use to keep current on CMS requirements, and, compliance,

audit, and enforcement information and activities? How is this information shared
throughout your organization and First Tier, Downstream, and Related Entities?
Enter your response here
5. Briefly explain how you approach a new situation, emerging issue or new CMS policy

where an internal policy or process is not in place to respond to the issue or implement
the new requirement.
Enter your response here
6. How is the compliance department informed and kept up-to-date on tasks and

assignments that have been delegated to internal operations and First Tier,
Downstream, and Related Entities?
Enter your response here

Page 2 of 5

v.05-2020

Program Audit Data Request
Compliance Program Effectiveness (CPE)
Compliance Officer Questionnaire (CO-Q)

7. Briefly explain how you would handle a compliance issue that involves a Medicare

operational area and/or a First Tier, Downstream, and Related Entity that impacts
enrollees’ timely access to their health or drug benefits? Provide an example if you
have one.
Enter your response here
8. Describe how you handle, or would handle poor compliance performance of Medicare

operations within your Sponsoring organization.
Enter your response here
9. Briefly describe the communication process between the compliance officer, compliance

committee, senior management and governing body. Please provide an issue, or topic,
you reported to the committee, CEO or senior-most leader and governing body.
Enter your response here

10. As the Compliance Officer, what types of decisions do you make at your level

without consulting with your leadership? What indicators or triggers are used to
determine when and what to escalate to your leadership?
Enter your response here
11. Describe how the compliance department determines what issues to escalate to the

governing body? Include, how and when the parties are advised of operational and
regulatory compliance activities (e.g., critical discussions with the CMS Account
Manager, Notices of Non- Compliance, Civil Money Penalties, Marketing/Enrollment
Sanctions).
Enter your response here
12. How do you measure employee, governing body member, and First Tier, Downstream,

and Related Entity awareness and understanding of the compliance program?
Enter your response here
13. Briefly explain how compliance program education and training is implemented. Please

include the timing/frequency, the vehicle for distribution, mechanism for tracking and
to whom it is provided.
Enter your response here
Page 3 of 5

v.05-2020

Program Audit Data Request
Compliance Program Effectiveness (CPE)
Compliance Officer Questionnaire (CO-Q)

14. What is your process to ensure written policies and procedures and standards of

conduct are available within your Sponsoring organization?
Enter your response here
15. How do you ensure that your staff is aware of disciplinary standards?

Enter your response here
16. What reporting mechanisms are in place to communicate concerns/issues (i.e.

operational areas compliance, fraud, etc.) to the compliance department?
Enter your response here
17. Since CMS no longer collects call logs for program audit purposes, what has your

organization done to ensure that incoming requests are handled properly?
Enter your response here

18. During the review period, how many compliance issue reports did you receive? If

multiple reporting mechanisms are available, please provide a breakout by mechanism.
Ex: compliance hotline, FWA hotline, web, drop box, etc.
Enter your response here
19. How often do you check your mechanisms, and what assurance do you have that your

mechanisms are confidential?
Enter your response here
20. How do you ensure the Medicare compliance program is effectively identifying and

correcting compliance and fraud, waste, and abuse issues/incidents? Has this been
effective?
Enter your response here
21. Describe the methods or process used for tracking compliance issues through resolution

and remediation and to ensure the root cause has been addressed to prevent recurrence
(e.g. centralized tracking database, logs, etc.).
Enter your response here

Page 4 of 5

v.05-2020

Program Audit Data Request
Compliance Program Effectiveness (CPE)
Compliance Officer Questionnaire (CO-Q)

22. Briefly explain your system for identifying compliance risks.

Enter your response here
23. Briefly describe how you create and implement auditing and monitoring for compliance

and oversight of Medicare operations.
Enter your response here
24. Describe the process for sharing the results of internal monitoring and auditing activities

with parties within the organization.
Enter your response here
25. Explain how your organization tracks, measures and documents the

effectiveness of its compliance program.
Enter your response here
26. Do you have any questions or comments for CMS?

Enter your response here

PRA Disclosure Statement According to the Paperwork Reduction Act of 1995, no persons are required to respond to
a collection of information unless it displays a valid OMB control number. The valid OMB control number for this
information collection is 10938-NEW (Expires: TBD). The CMS control number is CMS-10717. The time required
to complete this information collection is estimated to average 701 hours per response, including the time to review
instructions, search existing data resources, gather the data needed, and complete and review the information
collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this
form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05,
Baltimore, Maryland 21244-1850. Please do not send applications, claims, payments, medical records or any
documents containing sensitive information to the PRA Reports Clearance Office. Please note that any
correspondence not pertaining to the information collection burden approved under the associated OMB control
number listed on this form will not be reviewed, forwarded, or retained. If you have questions or concerns regarding
where to submit your documents, please contact 1-800-MEDICARE.

Page 5 of 5

v.05-2020