1

ACO Compliance Your First Audit is Sooner Than You Think

Fundamentals for Operations and Risk Management

Bruce Merlin FriedPartner

T +1 202.408.9159 bruce.fried@snrdenton.com

Mark HamelburgSenior Counsel

T +1 202 408 9115 mark.hamelburg@snrdenton.com

Tyrina BlomerChief Regulatory Officer Universal American Corp.

T +1 713 3141664tblomer@UniversalAmerican.com

Third National ACO Congress November 1, 2012

2

Your First Audit…?

3

Congratulations…Now It’s Time To Get To Work!

Congratulations on your acceptance letter

Acceptance in the program is just the beginning

Remember all those things you agreed to do?

Government will likely require compliance from day one

Practical advice to get you started

4

Compliance: The Broader Context

Across all of Government: Persistent and Growing Focus on Compliance

– Financial Services

– Defense Acquisitions

– Health Care

Not Just about Regulatory Adherence, Increasingly about Fraud, Waste & Abuse

Private sector is also more active

– Whistle Blowers: Qui Tam Relators

– Collaboration between Commercial and Government Insurers on Fraud

Programmatic Success Turns on Good Compliance

5

CMS Expectations for An Effective Compliance Program

Prevents, detects, and responds to violations of law or policy

“Proactive” not “reactive” approach

Includes fully-engaged and informed leadership team and board of directors

Culture of compliance with clear expectations of ethical and proper behavior

Proactive, comprehensive identification and response to compliance risk

6

MSSP ACO Regulatory Requirements

CMS regulation (42 CFR §425.300) requires a compliance plan with at least the following elements:

– Designated compliance official who reports directly to ACO governing board

– Mechanisms for identifying and addressing compliance problems

– Method for individuals/entities performing functions or ACO-related services to anonymously report suspected ACO problems to compliance officer

– Compliance training for the ACO’s participants/providers and suppliers

– Reporting of probable violations of law to an appropriate law enforcement agency

Regulation also requires periodic updates to reflect changes in law and regulations

7

Compliance Official

Must report directly to ACO governing board

– What about an ACO management compliance committee?

• While a management compliance committee is not specifically required; it is stated to be “integral to

establishment of an effective compliance program” in CMS-regulated entities

Cannot be legal counsel to the ACO

ACOs that are existing entities can use current compliance officer

Other qualifications: nothing specific

– Draw from MA and Part D experience

• Full-time employee (but can have duties beyond compliance)

• Knowledgeable about program and regulations

• Respected, right temperament, good people skills

8

Compliance Official

Beyond Medicare ACO Compliance issues

– May also be Chief Privacy/Data Security Officer for HIPAA and CMS DUA

– Will ACO have an ethics officer? Ombudsman? Risk Management?

9

Identifying & Addressing Compliance Problems

Regulatory Requirement: Must have mechanisms to identify and address compliance problems related to ACO operations and performance

CMS Expects:

– Open lines of communication to compliance official

– Prompt response to issues raised

– Investigations focused on root cause

– Correct problems at root cause level to reduce potential for recurrence

– Timely resolution to compliance issues identified

– Be prepared to show correction to CMS with data

– Implementation of consistent and appropriate corrective actions (e.g., disciplinary action)

10

Identifying & Addressing Compliance Problems: The Details

Drawing on Medicare Advantage strategies, government may be expecting some combination of:

– Internal Auditing & Monitoring to include data analysis and validation

– Annual Risk Assessments to identify key risks

– Annual Risk Assessments

– Development and appropriate documentation of a corrective action plan (CAP) for identified issues

– Follow-up tracking to confirm successful implementation of CAP and timely closure

– Disciplinary guidelines (published/documented) to encourage compliance

– Monitoring of provider/suppliers/other entities contracted or delegated to perform ACO functions/services

11

Anonymous Reporting

Typically involves mechanisms like a 1-800 Hotline

Must be available to:

– ACO employees/contractors

– ACO participants, providers, suppliers

– Other individuals or entities performing functions or services related to or delegated to perform ACO activities

Should publicize: ACO’s website, in training materials, in contracts, on signs in offices, etc.

Ensure mechanism to track incoming calls and document how issues reported are ultimately resolved

Depending on seriousness of issues reported, protocols should provide for escalation to management and document management actions (investigation and resolution)

12

Compliance Training

Trainees

– ACO governing body and employees

– ACO participants

– ACO providers and suppliers

Contracted or Delegated Entities

– Consider requiring any first tier entities, downstream entities, and related entities to have their own training, or where sufficient organizational similarities, make your training programs available to them

No specified content/timing

– CMS would likely expect initial training in new ACO, training for new hires, and periodic re-training

Documentation

– Maintain attendance records, content, etc.

– Disciplinary guidelines to ensure training (upon hire & annually thereafter)

13

Compliance Training & Building Culture: Other Opportunities

Creating a “Culture of Compliance”

Communications from CEOs

Annual Compliance Week

Newsletters

Facility Posters on Compliance and HIPAA Privacy

Compliance Alert Emails (e.g., ACO regulation updates)

Town Halls

ACO Compliance FAQ Hotline

14

Self Reporting

The compliance plan must require reporting of “probable” violations of law to an appropriate law enforcement agency

Issues to consider include:

– Defining what is a probable violation

– Timing of the ACO investigation/reporting

– De minimis issues

– What law enforcement agency is appropriate?

• Start with CMS

– Other

15

Credentialing

While not specifically addressed by MSSP ACO regs, It is advisable to be familiar with Medicare Advantage credentialing requirements.

The final decision making authority for credentialing and peer reviews should rest with governing bodies

ACO should credential clinicians employed by the ACO: Chief Medical Officer, clinicians involved in care coordination, case management, etc.

All ACO participants (physician groups, hospitals, others) must adhere to credentialing and review standards

– Contracts

– Bylaws

– ACO Policy & Procedures

16

Credentialing: CMS Expectations & MA Organizations

Credentialing is required for:

– All physicians who provide services to the organization’s enrollees, including members of physician groups; and

– All other types of health care professionals who provide services to the organization’s enrollees and who are permitted to practice independently under state law.

Credentialing is not required for:

– Health care professionals who are permitted to furnish services only under the direct supervision of another practitioner;

– Hospital-based health care professionals who provide services to enrollees incident to hospital services, unless those health care professionals are separately identified in enrollee literature as available to enrollees; or

– Students, residents, or fellows.

17

Credentialing: CMS Expectations & MA Organizations

Confirmation of Eligibility for Medicare Participation (GSA/OIG Exclusion)

Policies and procedures for the selection and evaluation of health care professionals

Initial Credentialing (upon hire) to include verification of applicants credentials and other pertinent information

Recredentialing expected, at least every 3 years

Ongoing monitoring of sanctions and grievances filed against health care professionals

18

Potential Compliance Targets

Targets of initial government compliance reviews may include:

– Accuracy of data submissions

– Annual certification that ACO is in compliance with all legal requirements

– Annual certification that all data and information submitted by the ACO is accurate and complete

– Beneficiary inducements

– Limitation on beneficiary freedom of choice (e.g., Beneficiary steering)

– Avoidance of at-risk beneficiaries

– Compliance with Data Use Agreement (note: more stringent than HIPAA)

– Compliance with HIPAA

– Documentation of OIG/GSA exclusion screening

– Submission & appropriate substance (avoidance of steering or inducements) of marketing materials for CMS approval

19

Potential Compliance Targets

Targets of initial government compliance reviews may include:

– Cherry picking (e.g., as reflected in risk profile changes in assigned population over time)

– Adequate publicizing of anonymous reporting hotline

– Issues that arise when an ACO has several contracts (Medicare, Medicaid, commercial)

– Antitrust concerns

– Documentation of training

– Documentation that ACO policies/procedures are being distributed, updated, and retained

20

Potential Compliance Targets

Targets of initial government compliance reviews may include:

– Are ACO, ACO participants, providers/suppliers, and other ACO contracted entities retaining records as required by regulation?

• May include review of contract language requiring record retention and permitting government audits inspections

• May also test accessibility of information

– Documentation regarding ACO-mandated beneficiary notices and signs, including data opt-out notices

21

Challenges & Other Issues to Consider

Implementing elements of cohesive compliance plan across independent physician practices and other providers/suppliers

Support staff turnover

Implementing contract provisions (e.g., to ensure preservation of records by participants, providers/suppliers, and contracted entities, ensuring government right to audit/inspect, and to permit internal monitoring)

Determining appropriate number of compliance employees needed for an effective compliance program

Determining appropriate level of monitoring/auditing for size of ACO

Measuring CMS’ expectations – Where does the ACO’s CCO responsibilities end?

– How does ACO compliance intersect with provider compliance obligations?

Meeting technical requirements of OIG/CMS waivers

Thinking down the road: developing process, including potential engagement with outside vendor, for responding to future CMS audits

22

Our Locations