OIG Report on PDP Sponsors' Compliance Plans: Preparation Tool for CMS Audits in 2007 and Beyond
by Sarah K. Giesting , Polaris Management Partners LLC , New York, NY
The government recovered over $2.2 billion in fines for fraud and abuse from the healthcare industry in 2006, amounting to nearly 75 percent of the total recovered in the United States. The government, as the largest purchaser of healthcare services in the United States, has an interest in preventing and prosecuting fraud. One example of this is the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (" MMA"), which requires all Medicare Part D plan sponsors to have a program to control fraud, waste, and abuse ("FWA"). Plan sponsors must also have a comprehensive plan to detect, correct, and prevent fraud, waste, and abuse.
To evaluate these FWA requirements, the Office of the Inspector General ("OIG") within the U.S. Department of Health and Human Services released a report on January 4, 2007, entitled Prescription Drug Plan Sponsors' Compliance Plans. The OIG's report had two key objectives: (1) to determine whether prescription drug plan ("PDP") sponsors have developed compliance plans as required by the MMA; and (2) to determine whether PDP sponsors' compliance plans, as of January 2006, addressed all the compliance elements and selected recommendations promulgated by the Centers for Medicare and Medicaid Services (" CMS"). The OIG found that while all 60 PDP sponsors had compliance plans, 72 of the 79 compliance plans failed to address all CMS requirements for at least one of the eight required compliance plan elements.
This OIG report is an important tool for legal counsel and compliance officers to review in preparing for CMS audits in 2007. This article assesses the major findings of the Prescription Drug Plan Sponsors' Compliance Plans report and the areas identified by the OIG as particularly problematic. Additionally, it highlights areas that the OIG did not include in its assessment, but which all sponsors are responsible for including in their compliance plans.
Major Findings of the Prescription Drug Plan Sponsors' Compliance Plans Report
As mentioned, the OIG determined that 91 percent of the compliance plans did not adequately address all CMS requirements for the eight compliance plan elements. These elements are: (1) written policies, procedures, and standards of conduct; (2) designation of a compliance officer and compliance committee; (3) effective training and education; (4) effective lines of communication; (5) enforcement of standards through disciplinary guidelines; (6) internal monitoring and auditing procedures; (7) procedures to ensure prompt response and corrective action for detected offenses; and (8) a comprehensive FWA plan. The OIG also noted that compliance plans ranged in length from nine pages to two large binders.
The agency found that 21 compliance plans did not adequately address element number two—i.e., whether a compliance officer and compliance committee had been designated–and that four of these compliance plans failed to address this element in any way. Compliance plans should clearly designate both a compliance officer and compliance committee, as well as outline their specific responsibilities, including developing, operating, and monitoring the compliance plan.
The OIG also found that many compliance plans did not to satisfy element number six because they lacked procedures for internal monitoring and auditing. Seventy-one of the 79 compliance plans did not address all five of the CMS requirements for this element and 52 of the plans addressed only one or two requirements. In addition, 44 of the reviewed compliance plans did not indicate that the sponsor had procedures in place to monitor and audit the activities of its first-tier, downstream, and related entities. Compliance plans must outline the sponsors' internal monitoring and auditing procedures, including an auditing schedule, to have an effective compliance plan. They should also outline the procedures to monitor and audit the activities of the sponsors' first-tier, downstream, and related entities and clearly state that these entities must provide their records to CMS or its designee upon request.
Furthermore, the OIG recognized that some compliance plans merely restated the language of the compliance plan elements but did not provide specific details. For example, 41 of the 78 compliance plans failed to discuss the topics covered in compliance training, the training format, and the consequences for failure to complete required training. Sponsors should tailor their compliance plans to the organizations' practices, policies, and systems to provide sufficient detail to implement each compliance plan element.
A key OIG finding was that the eighth element to have a comprehensive FWA plan was insufficient in 64 of the compliance plans. Fourteen of them did not indicate that the sponsors had procedures in place to identify fraud, waste, and abuse. Compliance plans must have clear policies and procedures to identify and respond to potential violations.
Additional Requirements Not Assessed by the OIG
There are several CMS requirements and additional requirements from the Chapter 9 Prescription Drug Benefit Manual not assessed by the OIG that are worth noting. Among the additional areas that must be included in compliance plans are:
Written policies and procedures – Compliance plans should clearly state their organizations' commitment to complying with all federal and state laws and regulations. Plans should include a code of conduct in addition to policies and procedures addressing each of the eight compliance plan elements. Chapter 9 identifies 18 specific areas that legal counsel and compliance officers should ensure that policies and procedures address.
Compliance officer and compliance committee – Compliance plans should state that a compliance officer and compliance committee have been designated and clearly identify the responsibilities of each. Chapter 9 identifies the duties for which each should be responsible.
Training and education – Compliance plans must specify that all employees involved in the administration or delivery of a Part D program receive general training. Compliance plans should also identify those individuals that must complete specific training. Compliance plans should state training requirements and the procedures to ensure compliance with these requirements.
Lines of communication – Compliance plans should require all employees, contractors, and agents of its organization and first-tier, downstream, and related entities to report potential fraud. Compliance plans should state policies and procedures for ensuring confidentiality, anonymity, and non-retaliation. Employees should be aware of all mechanisms available to report potential fraud, including hotlines, suggestion boxes, and exit interviews. Additionally, employees should be made aware of how to report potential fraud to appropriate law enforcement agencies or Medicare Drug Integrity Contractors.
Disciplinary guidelines – Compliance plans should clearly state specific disciplinary policies and consequences for violations.
Monitoring and auditing – Compliance plans should clearly state the methodology, schedule, and types of auditing and monitoring that will be conducted. They should state the parties involved and the roles of each, including the compliance officer and compliance committee. Policies and procedures for monitoring and auditing first-tier, downstream, and related entities should also be included. Chapter 9 outlines examples of risks for fraud, waste, and abuse, which should be considered when developing monitoring and auditing procedures.
Prompt response and corrective action – Compliance plans should state the procedures for conducting a prompt and reasonable inquiry of the sponsors' employees or those of first-tier, downstream, and related entities, and corrective action procedures if a violation is discovered. Compliance plans should clearly state procedures for voluntary self-reporting to government authorities.
Comprehensive plan to detect FWA – Compliance plans should include the compliance officer's duties for responding to potential violations and maintaining documentation for each report of potential fraud; compliance training that addresses pertinent fraud and abuse laws; report(s) that the sponsors receive and review from first-tier, downstream, and related entities; and procedures for voluntary self-reporting to government authorities.
Legal counsel and compliance officers should use the OIG's report and CMS guidance as tools to re-evaluate their organizations' compliance plans and prepare for CMS audits. It is imperative to remember that the OIG did not assess the quality of the compliance plans reviewed or the extent to which they had been implemented by each PDP sponsor. Sponsors should prepare for CMS audits by fulfilling all CMS requirements, assessing the quality of their compliance programs, and fully implementing their compliance programs. As the compliance picture for Part D develops through additional guidance and enforcement actions, sponsors can use these tools to further drive the development of their compliance plans.