Compliance Program Guidance Overview of Chapters 9 & 21 Marianne Bechtle, JD, CHC CM/Program Compliance and Oversight Group, Division of Compliance Enforcement Phil Sherfey, JD, CHC CM/Program Compliance and Oversight Group, Division of Compliance Enforcement Beth Brady, CFE, AHFI Center for Program Integrity, Division of Plan Oversight and Accountability September 5, 2012 Image of blueprint CMS logo

Background Overview of the Revised Compliance Program Guidelines Agenda 2

The Division of Compliance Enforcement (DCE) has a streamlined process for responding timely to policy questions or inquiries: Questions/Answers 3

Chapter 9 Medicare Prescription Drug Benefit Manual * & Chapter 21 Medicare Managed Care Manual** Based on regulations that were effective on January 1, 2011 Content Identical Applicable to Medicare Part C and Part D programs Applicability to Cost Plans and PACE as stated in Section 10 Released through HPMS on Friday, July 27, 2012 Effective immediately * Internet-Only Manual (IOM), Pub * * IOM, Pub Revised Guidance 4

February 8, 2012 – Draft Compliance Program Guidelines issued for public comment via HPMS March 16, 2012 – Comment period ended Robust review and comment process (900+ comments) DCE/CPI workgroup 68 entities (Medicare Advantage Organizations and Prescription Drug Plans, Delegated Entities, Trade Associations, consultants, etc.) Topics of interest: FDR oversight Content requirements for Policies, Procedures, Standards of Conduct Role of governing body & executive management Compliance training of deemed providers Frequency requirements for checking OIG/GSA exclusion lists July 27, 2012 – Final Compliance Program Guidelines issued via HPMS The Journey: Draft to Final 5

Must: Requirements created by statute or regulation vs. Should: Expectations identified in Guidelines vs. Best Practices: Recommendations Section 10 - Introduction 6

Identifies 7 elements of an effective compliance program In order to be effective, the Sponsor’s compliance program must be fully implemented Adequate resources are essential to an effective compliance program Section 30 - Overview of Mandatory Compliance Program 7

Who is an FDR? Sponsor determines whether its delegated entity is an FDR subject to compliance requirements How to Determine Who is an FDR Consider functions that are related to Medicare Parts C and D contracts If an entity is performing one of these functions, it is very likely appropriate to categorize the entity as an FDR If not performing one of the listed functions, analyze all facts and circumstances, including factors listed in chapter Section 40 - Sponsor Accountability for and Oversight of FDRs 8

Standards of Conduct (SOC) Also referred to as “Code of Conduct” or other similar terms Provide the overarching principles by which the Sponsor operates May be in a Medicare-specific document, or included as part of the Sponsor’s commercial business Code of Conduct Section Element I: Written Policies, Procedures and Standards of Conduct 9

Policies and Procedures (Ps & Ps) Describe operation of compliance program Detailed and specific Implement the operation of compliance program Should be updated to reflect changes in laws, regulations, other Medicare program requirements Section Element I: Written Policies, Procedures and Standards of Conduct 10

Section Element I: Written Policies, Procedures and Standards of Conduct 11 To EmployeesTo FDRs When? Within 90 days of hire When updated Annually Within 90 days of contracting When updated Annually How? Hard copy initially then electronic electronic copy Posting on intranet Fax blast Placement on Sponsor’s FDR Portal Contained as attachments to the FDR Contract Distribution of SOC and Ps & Ps

Compliance Officer Compliance reports must reach senior-most leader Must have express authority to provide unfiltered, in- person reports to senior leader/governing body Reports should not be routed through operational management (e.g. Chief Operating Officer, Chief Financial Officer, General Counsel) Compliance Officer reports may be relayed through divisional Presidents Compliance reports to governing body must be made through a Sponsor’s compliance infrastructure Section Element II: Compliance Officer, Compliance Committee and High Level Oversight 12

Compliance Committee No requirement for separate “Medicare” Compliance Committee Accountable to senior leadership and governing body Must provide regular compliance reports to senior leadership and governing body Section Element II: Compliance Officer, Compliance Committee and High Level Oversight 13

Governing Body Sponsor’s or parent’s governing body (e.g. Board, etc.) must oversee compliance May delegate oversight to committee, but governing body as whole ultimately accountable Must be knowledgeable about compliance risks Section Element II: Compliance Officer, Compliance Committee and High Level Oversight 14

Senior Management Senior-most leader of contract holder must be engaged in compliance program oversight Must integrate Compliance Officer into organization Must be advised of all compliance enforcement activity, etc. Section Element II: Compliance Officer, Compliance Committee and High Level Oversight 15

General Compliance Training for Employees Who? All employees (including CEO, administrators and managers) Governing body members When? Within 90 days of hire and Annually thereafter How? Classroom training Online training modules Attestations that employees have read and received the Sponsor’s Standards of Conduct and/or compliance policies and procedures Sponsors must be able to demonstrate that their employees have fulfilled these training requirements Section Element III: Effective Training and Education 16

General Compliance Training for FDRs What? Sponsors must communicate the following to FDRs: General compliance information and Compliance expectations are communicated to FDRs How? Distribution of Sponsor’s Standards of Conduct and/or compliance policies and procedures to FDRs’ employees through Provider Guides, Business Associated Agreements, etc. Section Element III: Effective Training and Education 17

Fraud, Waste, and Abuse (FWA) Training Who? All employees (including CEO, administrators and managers) Governing body members FDRs When? Within 90 days of hire and Annually thereafter FDRs? Sponsors must provide FWA training directly to FDRs or Sponsors must provide training materials or Sponsors must ensure FDRs complete the CMS FWA Training Module Specialized training may be provided based on FWA risks specific to an individual’s job function Section Element III: Effective Training and Education 18

FWA Training (Deemed FDRs) FDRs meeting FWA certification through Parts A/B enrollment or accreditation as DMEPOS* supplier are “deemed” to have met FWA training requirement If a chain pharmacy, each individual location must be enrolled to be deemed * DMEPOS = Durable Medical Equipment, Prosthetics, Orthotics, and Supplies Section Element III: Effective Training and Education 19

Compliance Officer: Communicating with Others Compliance Officer’s name, location, and contact information must be shared with employees and FDRs Implement a system to communicate changes in law, regulations, sub-regulatory guidance, and P&Ps Information must be disseminated timely Numerous examples of methods to communicate both internally and to FDRs Sponsor must educate enrollees about identification and reporting of potential FWA Section Element IV: Effective Lines of Communication 20

Section Element V: Well-Publicized Disciplinary Standards Disciplinary Standards (Policies & Procedures) Must be clear and specific Must describe the Sponsor’s expectations for reporting compliance issues and assisting in the resolution of reported compliance issues Must identify noncompliant, unethical, or illegal behavior through examples of violative conduct 21

Disciplinary Standards (Publicize & Enforce) Provide timely, consistent and effective enforcement of standards Numerous examples provided of how to publicize disciplinary standards Records must be maintained for 10 years for all compliance violation disciplinary actions Section Element V: Well-Publicized Disciplinary Standards 22

Routine Monitoring and Auditing Must conduct monitoring and auditing to test and confirm compliance with Medicare requirements Monitoring: regular reviews of operations to ensure ongoing compliance Auditing: formal review of compliance with a set of standards Must develop an annual monitoring and auditing work plan Compliance Officer must receive regular reports from the audit department regarding results and corrective actions taken Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 23

System to Identify Compliance Risks Must conduct a formal baseline assessment of major compliance and FWA risk areas (e.g., risk assessment) Must take into account all Medicare business operational areas Examples provided of high risk areas for Medicare Parts C and D Sponsors Must audit the effectiveness of the compliance program (annually) Transfer results into a monitoring and auditing work plan Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 24

Audits: Sponsor’s Operations and Compliance Program Audit function may be a separate department or performed by the Compliance department Must designate adequate resources to meet the work plan goals No self-policing by operational areas; must be independent auditors, internal audit or compliance Must audit the effectiveness of the compliance program and share results with governing body Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 25

Monitoring and Auditing FDRs Sponsors are responsible for compliance with CMS requirements, including work performed by their FDRs Must develop a strategy to monitor and audit first-tier entities for compliance program requirements Must ensure first-tier entities fulfill compliance program requirements Must ensure first-tier entities monitor compliance of downstream entities Examples provided of how to conduct monitoring and auditing activities of FDRs (e.g., risk assessments, utilization reports) Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 26

Tracking and Documenting Compliance and Compliance Program Effectiveness Sponsors should track and document compliance efforts Dashboards, scorecards, self-assessments tools and other mechanisms help demonstrate compliance goals and achievements Issues of noncompliance and FWA identified in the assessment tools should be shared with senior management Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 27

OIG/GSA Exclusion Sponsors must review the DHHS OIG LEIE list and GSA EPLS prior to hiring or contracting, and monthly to ensure none of the persons or entities are excluded New and Temporary Employees Volunteers Consultants Governing Body members FDRs Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 28

Use of Data Analysis for FWA Prevention and Detection Establish baseline data to recognize unusual trends or changes in utilization or patterns over time Identify internal problem areas such as enrollment, finance, or data submission, and problem areas with the FDRs Use findings to determine where there is a need for policy changes Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 29

Special Investigation Units (SIUs) SIU - An internal unit, often separate from the compliance department, responsible for investigation of potential FWA Sponsors are not expected to perform law enforcement duties and may refer FWA matters to the NBI MEDIC or to law enforcement SIUs must be accessible via phone, , Internet and mail, and Sponsors must ensure FWA can be reported anonymously Communication and coordination between the SIU and compliance department is key in ensuring that all Medicare Parts C and D benefits are protected from FWA schemes Section Element VI: Effective System for Routine Monitoring, Auditing, and Identification of Compliance Risks 30

If Potential FWA is Detected... Sponsors must initiate a reasonable inquiry as soon as possible, but not later than 2 weeks after the date the incident is identified After a preliminary investigation, Sponsors may refer potential FWA to the NBI MEDIC if they do not have the time or resources to investigate fully Referrals should be made to the NBI MEDIC within 30 days so that the fraudulent or abusive activity does not continue Sponsors are responsible for monitoring for FWA and noncompliance within their organizations Section Element VII: Procedures and System for Prompt Response to Compliance Issues 31

Corrective Actions Must be designed to correct the underlying problem Must be implemented in response to FWA or noncompliance Must prevent future noncompliance (root cause analysis) Must include timeframes for achievements Must be documented and include ramifications if the corrective action was not implemented satisfactorily Sponsors must ensure FDRs have corrected their deficiencies Thorough documentation must be maintained of all deficiencies identified and corrective actions taken Section Element VII: Procedures and System for Prompt Response to Compliance Issues 32

Medicare Drug Integrity Contractors (MEDICs) Perform specific program integrity functions for Medicare Parts C and D The National Benefit Integrity (NBI) MEDICs Identify potential FWA Investigate referrals from sponsors and keep sponsors informed Refer to law enforcement or other entities when necessary May request additional information from the sponsors which should be provided within 30 days unless otherwise specified Section Element VII: Procedures and System for Prompt Response to Compliance Issues 33

CMS issues alerts about fraud schemes identified by law enforcement officials. In response, Sponsors should... Review contractual agreements with identified parties Consider terminating contracts if law enforcement has issued indictments and the terms of the contract authorizes termination in such instances Review past paid claims from entities identified in the fraud alert Identify claims that may have been part of an alleged fraud scheme and remove them from PDE submissions Section Element VII: Procedures and System for Prompt Response to Compliance Issues 34

To Identify Providers with a History of Complaints, Sponsors... Should maintain files for 10 years on providers who have been the subject of complaints, investigations and prosecutions Should maintain files that contain documented warnings, educational contacts, copies of complaints, and results of investigations Must comply with requests from law enforcement, CMS or CMS’s designee regarding monitoring of potentially abusive or fraudulent providers Section Element VII: Procedures and System for Prompt Response to Compliance Issues 35

The Division of Compliance Enforcement (DCE) has a streamlined process for responding timely to policy questions or inquiries: Questions/Answers 36

WEBSITE FOR PROGRAM COMPLIANCE & OVERSIGHT GROUP (PCOG) COMING SOON 37