ACO Compliance Your First Audit is Sooner Than You Think

Transcription

1 ACO Compliance Your First Audit is Sooner Than You Think Fundamentals for Operations and Risk Management Third National ACO Congress November 1, 2012 Bruce Merlin Fried Partner T bruce.fried@snrdenton.com Tyrina Blomer Chief Regulatory Officer Universal American Corp. T tblomer@universalamerican.com Mark Hamelburg Senior Counsel T mark.hamelburg@snrdenton.com 1

2 Your First Audit? 2

3 Congratulations Now It s Time To Get To Work! Congratulations on your acceptance letter Acceptance in the program is just the beginning Remember all those things you agreed to do? Government will likely require compliance from day one Practical advice to get you started 3

4 Compliance: The Broader Context Across all of Government: Persistent and Growing Focus on Compliance Financial Services Defense Acquisitions Health Care Not Just about Regulatory Adherence, Increasingly about Fraud, Waste & Abuse Private sector is also more active Whistle Blowers: Qui Tam Relators Collaboration between Commercial and Government Insurers on Fraud Programmatic Success Turns on Good Compliance 4

5 CMS Expectations for An Effective Compliance Program Prevents, detects, and responds to violations of law or policy Proactive not reactive approach Includes fully-engaged and informed leadership team and board of directors Culture of compliance with clear expectations of ethical and proper behavior Proactive, comprehensive identification and response to compliance risk 5

6 MSSP ACO Regulatory Requirements CMS regulation (42 CFR ) requires a compliance plan with at least the following elements: Designated compliance official who reports directly to ACO governing board Mechanisms for identifying and addressing compliance problems Method for individuals/entities performing functions or ACO-related services to anonymously report suspected ACO problems to compliance officer Compliance training for the ACO s participants/providers and suppliers Reporting of probable violations of law to an appropriate law enforcement agency Regulation also requires periodic updates to reflect changes in law and regulations 6

7 Compliance Official Must report directly to ACO governing board What about an ACO management compliance committee? While a management compliance committee is not specifically required; it is stated to be integral to establishment of an effective compliance program in CMS-regulated entities Cannot be legal counsel to the ACO ACOs that are existing entities can use current compliance officer Other qualifications: nothing specific Draw from MA and Part D experience Full-time employee (but can have duties beyond compliance) Knowledgeable about program and regulations Respected, right temperament, good people skills 7

8 Compliance Official Beyond Medicare ACO Compliance issues May also be Chief Privacy/Data Security Officer for HIPAA and CMS DUA Will ACO have an ethics officer? Ombudsman? Risk Management? 8

9 Identifying & Addressing Compliance Problems Regulatory Requirement: Must have mechanisms to identify and address compliance problems related to ACO operations and performance CMS Expects: Open lines of communication to compliance official Prompt response to issues raised Investigations focused on root cause Correct problems at root cause level to reduce potential for recurrence Timely resolution to compliance issues identified Be prepared to show correction to CMS with data Implementation of consistent and appropriate corrective actions (e.g., disciplinary action) 9

10 Identifying & Addressing Compliance Problems: The Details Drawing on Medicare Advantage strategies, government may be expecting some combination of: Internal Auditing & Monitoring to include data analysis and validation Annual Risk Assessments to identify key risks Annual Risk Assessments Development and appropriate documentation of a corrective action plan (CAP) for identified issues Follow-up tracking to confirm successful implementation of CAP and timely closure Disciplinary guidelines (published/documented) to encourage compliance Monitoring of provider/suppliers/other entities contracted or delegated to perform ACO functions/services 10

11 Anonymous Reporting Typically involves mechanisms like a Hotline Must be available to: ACO employees/contractors ACO participants, providers, suppliers Other individuals or entities performing functions or services related to or delegated to perform ACO activities Should publicize: ACO s website, in training materials, in contracts, on signs in offices, etc. Ensure mechanism to track incoming calls and document how issues reported are ultimately resolved Depending on seriousness of issues reported, protocols should provide for escalation to management and document management actions (investigation and resolution) 11

12 Compliance Training Trainees ACO governing body and employees ACO participants ACO providers and suppliers Contracted or Delegated Entities Consider requiring any first tier entities, downstream entities, and related entities to have their own training, or where sufficient organizational similarities, make your training programs available to them No specified content/timing CMS would likely expect initial training in new ACO, training for new hires, and periodic re-training Documentation Maintain attendance records, content, etc. Disciplinary guidelines to ensure training (upon hire & annually thereafter) 12

13 Compliance Training & Building Culture: Other Opportunities Creating a Culture of Compliance Communications from CEOs Annual Compliance Week Newsletters Facility Posters on Compliance and HIPAA Privacy Compliance Alert s (e.g., ACO regulation updates) Town Halls ACO Compliance FAQ Hotline 13

14 Self Reporting The compliance plan must require reporting of probable violations of law to an appropriate law enforcement agency Issues to consider include: Defining what is a probable violation Timing of the ACO investigation/reporting De minimis issues What law enforcement agency is appropriate? Other Start with CMS 14

15 Credentialing While not specifically addressed by MSSP ACO regs, It is advisable to be familiar with Medicare Advantage credentialing requirements. The final decision making authority for credentialing and peer reviews should rest with governing bodies ACO should credential clinicians employed by the ACO: Chief Medical Officer, clinicians involved in care coordination, case management, etc. All ACO participants (physician groups, hospitals, others) must adhere to credentialing and review standards Contracts Bylaws ACO Policy & Procedures 15

16 Credentialing: CMS Expectations & MA Organizations Credentialing is required for: All physicians who provide services to the organization s enrollees, including members of physician groups; and All other types of health care professionals who provide services to the organization s enrollees and who are permitted to practice independently under state law. Credentialing is not required for: Health care professionals who are permitted to furnish services only under the direct supervision of another practitioner; Hospital-based health care professionals who provide services to enrollees incident to hospital services, unless those health care professionals are separately identified in enrollee literature as available to enrollees; or Students, residents, or fellows. 16

17 Credentialing: CMS Expectations & MA Organizations Confirmation of Eligibility for Medicare Participation (GSA/OIG Exclusion) Policies and procedures for the selection and evaluation of health care professionals Initial Credentialing (upon hire) to include verification of applicants credentials and other pertinent information Recredentialing expected, at least every 3 years Ongoing monitoring of sanctions and grievances filed against health care professionals 17

18 Potential Compliance Targets Targets of initial government compliance reviews may include: Accuracy of data submissions Annual certification that ACO is in compliance with all legal requirements Annual certification that all data and information submitted by the ACO is accurate and complete Beneficiary inducements Limitation on beneficiary freedom of choice (e.g., Beneficiary steering) Avoidance of at-risk beneficiaries Compliance with Data Use Agreement (note: more stringent than HIPAA) Compliance with HIPAA Documentation of OIG/GSA exclusion screening Submission & appropriate substance (avoidance of steering or inducements) of marketing materials for CMS approval 18

19 Potential Compliance Targets Targets of initial government compliance reviews may include: Cherry picking (e.g., as reflected in risk profile changes in assigned population over time) Adequate publicizing of anonymous reporting hotline Issues that arise when an ACO has several contracts (Medicare, Medicaid, commercial) Antitrust concerns Documentation of training Documentation that ACO policies/procedures are being distributed, updated, and retained 19

20 Potential Compliance Targets Targets of initial government compliance reviews may include: Are ACO, ACO participants, providers/suppliers, and other ACO contracted entities retaining records as required by regulation? May include review of contract language requiring record retention and permitting government audits inspections May also test accessibility of information Documentation regarding ACO-mandated beneficiary notices and signs, including data opt-out notices 20

21 Challenges & Other Issues to Consider Implementing elements of cohesive compliance plan across independent physician practices and other providers/suppliers Support staff turnover Implementing contract provisions (e.g., to ensure preservation of records by participants, providers/suppliers, and contracted entities, ensuring government right to audit/inspect, and to permit internal monitoring) Determining appropriate number of compliance employees needed for an effective compliance program Determining appropriate level of monitoring/auditing for size of ACO Measuring CMS expectations Where does the ACO s CCO responsibilities end? How does ACO compliance intersect with provider compliance obligations? Meeting technical requirements of OIG/CMS waivers Thinking down the road: developing process, including potential engagement with outside vendor, for responding to future CMS audits 21

22 Our Locations 22