January 1, 2016: Plan Benefit Period Begins
This past November, the Industry Collaboration Effort, Inc. (ICE) hosted its annual conference that focused on health care industry developments and operational ICE_logo.pngimprovements. The conference offered an opportunity to listen to healthcare regulators and participate in topic-specific breakout sessions. MedHOK was proud to be a Diamond sponsor of the event.
If you missed the conference or would like to review the information that was presented, ICE is posting the audio and slides to its site at http://www.iceforhealth.org/podcasts.asp. Be sure to check back to the website as additional audio and slides are being updated.
Classification of Audit Conditions: ICARs, CARs and Observations
On November 30, 2015, the Centers for Medicare and Medicaid Services (CMS) released an HPMS memo detailing the three audit condition classifications. Audit sponsors have indicated to CMS the need to be more transparent in what determines an Immediate Corrective Action Required (ICAR), Corrective Action Required (CAR) or an Observation. A new condition, Invalid Data Submission (IDS) has also been added. CMS has provided the below clarification:
- Immediate Corrective Action Required (ICAR) – If CMS identifies systemic deficiencies during an audit that are so severe that they require immediate correction, the sponsor will be cited an ICAR. These types of issues would be limited to situations where the identified deficiency resulted in a lack of access to medications and/or services or posed an immediate threat to enrollee health and safety. The sponsor has three (3) business days from formal email notification to provide their plan to address or remediate the deficiency. For example, if CMS identified that a sponsor’s formulary was programmed incorrectly resulting in inappropriate denials of needed medications, while the sponsor may not be able to re-program their formulary in three (3) business days, the sponsor would have to demonstrate to CMS the work around they implemented to immediately ensure that enrollees were receiving needed medications. The ICAR counts as two points in the audit scoring methodology.
- Corrective Action Required – If CMS identifies systemic deficiencies during an audit that must be corrected, but the correction can wait until the audit report is issued, the sponsor will be cited a CAR. These issues may affect beneficiaries, but are not of a nature that immediately affects their health and safety. Generally, they involve deficiencies with respect to non-existent or inadequate policies and procedures, systems, internal controls, training, operations or staffing. The sponsor will be afforded a total of seven (7) calendar days from the issuance of the final audit report to submit a corrective action plan for all conditions with a “corrective action required (CAR)” in appendix A. The sponsor should include a brief summary describing the process and give a timeframe for correction. Once submitted, CMS will review the corrective action plans. Once accepted by CMS, the sponsor will have 150 calendar days from the date of acceptance of the corrective action plan to undergo a validation (unless extension is requested and granted). The CAR counts as one point in the audit scoring methodology.
- Observations—If CMS identifies conditions of non-compliance that are not systemic, or represent a “one-off issue” the sponsor will be cited an observation. A “one-off issue” may be an issue dealing with one employee or a singular case that was lost or misidentified. Observations do not count in the audit scoring methodology.
- Invalid Data Submission (IDS) – An IDS condition is cited when a sponsor fails to produce an accurate universe within 3 attempts. IDS conditions are new for 2016 and are cited for each element that cannot be tested, grouped by type of case (e.g., CMS was unable to evaluate timeliness for your coverage determinations (standard or expedited, pre-service or payment), due to invalid data submission(s)). When the sponsor goes through their audit validation, they must produce the universes that auditors were unable to test during the original audit, to demonstrate their compliance with CMS requirements. The IDS condition will count as one point in the audit scoring methodology.
The protocols and other associated audit documents are located in the Downloads section of the CMS Program Audit website at https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html
Compliance Program Training Requirements and Audit Process Update – Additional Guidance
CMS issued an HPMS memo on June 17, 2015, entitled “Update – Reducing the Burden of the Compliance Program Training Requirements.” On December 28, 2015, CMS released an HPMS memo entitled “Additional Guidance – Compliance Program Training Requirements and Audit Process Update.”
The initial memo spoke to requirement to complete CMS’ compliance training module on the Medicare Learning Network (MLN) as meeting the Compliance Program Effectiveness (CPE) training requirement effective January 1, 2016.
CMS received inquiries and concerns from sponsors and first tier, downstream and related entities (FDRs) regarding the additional burden of taking CMS training along with their own organizational and/or FDR compliance trainings. CMS is suspending review of the training certification element in the CPE program audit protocol (Element #3). Sponsors will not be required to provide the documentation requested in the 2015/2016 Part C and D CPE Audit Process and Data Request – VII. Sponsor’s Accountability For and Oversight of FDRs – Bullet # 6. All other elements of the CPE protocol will continue to be audited.
The memo, in its entirety, can be found here
Cyber Bill Included in Omnibus
A new cybersecurity bill made its way into the omnibus spending bill this month. The bill that was signed is the Cybersecurity Information Sharing Act of 2015 (CISA). The inclusion is the largest of its type and is geared to encourage businesses to exchange data on hacking and cyber threats via a task force while providing incentives to those who participate. The proposed task force will be comprised of various businesses working alongside the government in an effort to analyze how industries implement cyber security strategies and evaluating challenges and barriers impacting healthcare organizations in defeating cyber-attacks.
CISA is positioned to enhance the overall security posture of companies by eliminating the lagged reporting process by providing a direct line to the FBI, NSA and CIA during times of attacks without having to first go through Homeland Security. Many companies such as Twitter, Apple, LinkedIn and Amazon oppose the legislation and believe it is a direct violation of civil liberties and internet freedom while other large companies such as Facebook and Verizon think it’s a great idea in stopping cyber-attacks.
While the success or failure of this bill is still unclear, cyber-attacks become more prevalent each year with little end in sight leaving little choice but for companies to bolster their cyber security stance..