The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
INTRODUCTION The Health Plan is dedicated to ensuring that all Federal and state laws, rules, regulations and procedures are complied with in a timely and effective manner. This includes but is not limited to requirements of Medicare Advantage Programs, Medicare Part C programs, and Medicare Part D programs. All Health Plan Board Members, officers, employees, contractors, providers and members are expected to meet the various legal requirements. For these reasons, The Health Plan has developed and instituted the following Corporate Compliance Plan. The Plan and related policies are designed to ensure The Health Plan fulfills all statutory and contractual obligations in a fair, accurate and consistent manner. The compliance plan not only addresses health care fraud, waste and abuse, but the requirements and obligations set forth by the Centers for Medicare and Medicaid (CMS), employment, whistleblower and insurance laws. The plan covers the following areas:
Written Policies, Procedures and Standards of Conduct; Compliance Officer, Compliance Committee and High Level Oversight; Training and Education; Lines of Communication; Disciplinary Standards; System for Routine Monitoring and Identification of Compliance Risks; Procedures and System for Prompt Response to Compliance Issues; Any other area pertaining to compliance.
Regulatory compliance is not an option, it is required. Failure to comply with all applicable Federal and state regulations exposes The Health Plan to fines and potential loss of its Medicare programs. Non-compliance with the plan and all regulatory statutes undermines The Health Plan’s reputation and credibility with its members, providers, and employees. The compliance plan will be reviewed on an ongoing basis and as new laws are adopted and new techniques developed, the compliance plan will be reviewed and updated as appropriate. The Health Plan Board of Directors delegates the authority for the development and implementation of the Corporate Compliance Plan to Executive Management and the internal Corporate Compliance Committee (CCC). Oversight of the program shall include all facets of development, implementation, and review of the program including:
Development, implementation and annual review; Approval of compliance policies and procedures; Review and approval of compliance and FWA training; Review and approval of compliance risk assessment; 1
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Review of internal and external audit work plans and audit results; Review and approval of corrective action plans resulting from audits; Review and approval of appointment of the compliance officer; Review and approval of performance goals for the compliance officer; Evaluation of the senior management team’s commitment to ethics and the compliance program; and Review of dashboards, scorecards, self-assessment tools, etc., that reveal compliance issues.
The Corporate Compliance Officer will periodically report the status of corporate compliance activities to the Corporate Compliance Committee and to the Board of Directors.
2
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
WRITTEN POLICIES, PROCEDURES, AND CODE OF CONDUCT The Health Plan overall expectation for Employee compliance begins with commitment to comply with The Health Plan Code of Conduct, all Federal and State regulations, standards and sub-regulatory guidance. Compliance training occurs as part of the new hire process and is conducted annually thereafter, as determined by The Health Plan Compliance Department. In addition, The Health Plan has policies and procedures that establish expectations that Health Plan Employees, as well as First Tier, Downstream or Related Entities (FDRs), are expected to follow. The Health Plan maintains an extensive library of policies and written guidelines so all Employees know and understand their individual responsibility for compliant and ethical business practices. Code of Conduct All employees, officers, and directors are required to review and sign The Health Plan Code of Conduct as set forth in Attachment A on an annual basis. Health Insurance Portability and Accountability (HIPAA) Privacy Program The HIPAA Privacy Program sets the standards for Employees in safeguarding confidential and protected health information. The Health Plan is committed to complying with applicable laws, regulations and policies related to privacy of health information. All Employees are required to complete training on the Privacy Program policies and are required to perform their work duties with a conscious regard for the privacy rights of all Health Plan members. Under the direction of The Health Plan Director of Compliance, the Privacy Program focuses on educating Employees on their ongoing responsibility to protect member privacy and secure member information. The Compliance Department manages and updates the privacy policies and procedures, which are available to all Health Plan Employees via the intranet, through distributed materials, and/or directly from the Director of Compliance. All FDRs must abide by The Health Plan Privacy Program policies or demonstrate that they have a dedicated Privacy Officer who is responsible for ensuring that all individuals within the respective delegated entity or vendor are trained on HIPAA regulations and the process for reporting privacy breaches. The FDR’s Privacy Officer is also responsible for managing any issues related to privacy breaches and reporting to The Health Plan should a privacy breach occur that impacts Health Plan members or business.
3
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Fraud, Waste and Abuse (FWA) Plan The Health Plan maintains a FWA Plan that demonstrates a commitment to prevent, detect and correct incidents that could lead to fraud, waste and/or abuse. The FWA Plan includes initial background checks for all potential employees, officers, Board members, physicians, and FDRs to review for felony convictions and Office of Inspector General (OIG) or General Services Administration (GSA) sanctions or exclusions. Upon hire or initiation of a contract, all individuals listed above must agree to comply with The Health Plan Code of Conduct and complete all mandatory FWA training courses. FWA training must include laws and regulations related to Medicare FWA (False Claims Act, AntiKickback Statute, etc.). Employees (including temporary workers and volunteers), governing body members, and FDR employees who have involvement in delivery of Part C and/or Part D must receive FWA training: 1. 2. 3. 4. 5.
Upon appointment When requirements, regulations or laws change When employees are found to be noncompliant As a corrective action to address a noncompliance issue When an employee works in an area implicated in past FWA activities.
The Health Plan uses a number of system edits and programmatic reviews of data designed to detect potential fraud. The Health Plan maintains a FWA hotline for anonymous reporting and a Special Investigations Unit (SIU) that investigates all reports of potential fraud, waste and/or abuse. The SIU works with designated State and Federal agencies, the National Benefit Integrity Medicare Drug Integrity Contractor (“MEDIC”), and law enforcement to pursue individuals or organizations who may be involved in activities that fall under the FWA umbrella and will pursue prosecution of health care fraud and abuse. Fraudulent activity may involve an Employee, member, subscriber, or health care provider who is involved in inappropriate schemes, behaviors, false documentation, inappropriate prescriptions, or falsification of conditions in order to help an individual receive an otherwise uncovered service under Medicare or other Federal programs. All Health Plan Employees, Directors and FDRs play an important role in The Health Plan fraud prevention program and are required to report suspected fraud, waste and/or abuse through the channels provided. The Health Plan Compliance and FWA Policies The Health Plan policies and procedures represent its response to laws and regulations and day-to-day risks to help reduce the prospect of fraudulent, wasteful and abusive activity. Because risk areas evolve and change over time, The Health Plan’s policies and 4
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
procedures are reviewed at least annually and revised when there are changes in regulatory requirements or business needs. The Health Plan policies demonstrate to Employees, business partners, and the community at large, our strong commitment to honest and responsible business compliance. The Health Plan published policies establish procedures and provide direction to Employees to promote compliance with laws and regulations, and to reduce the prospect of fraudulent, wasteful, or abusive activities in our daily work. The Health Plan requires that all FDRs adopt Health Plan policies and procedures or maintain similar policies and procedures that comply with current regulations or subregulatory guidance from CMS. Compliance Policies and Procedures The Health Plan Operational Areas have developed Compliance policies and procedures to ensure process controls are in place to meet specific requirements of the Medicare/Medicaid programs. The policies and procedures support the Compliance Program Plan and work in conjunction with department policies developed by and used on a day-to-day basis by Health Plan business areas. Delegated Entities, Vendors, Agents and First Tier, Downstream & Related Entities (FDRs) Various departments at The Health Plan provide service to Health Plan members through third party arrangements. When a third party, such as a PBM, a provider group, a dental provider, or another entity provide services to members, it is necessary to ensure that the third party entity adhere to all requirements of The Health Plan Compliance program. Accordingly, designated Health Plan staff shall monitor the activities and performance of FDRs to ensure they fulfill their contractual requirements for Part C, Part D, and Medicaid and meet established performance standards. Delegation and vendor oversight activities shall include, but are not limited to:
Contractual language to require adherence to compliance requirements; Audits to validate compliance with requirements; Development of corrective action plans in response to detected offenses; Reports of oversight activities; Management of corrective action plans; and Regular reportings to the Compliance Committee
5
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
COMPLIANCE OFFICER, COMPLIANCE COMMITTEE AND HIGH LEVEL OVERSIGHT The Health Plan recognizes the importance of fostering a compliance culture. To this end, The Health Plan maintains and supports a Compliance Committee and a Compliance Officer vested with clear roles, responsibilities and objectives. Compliance Officer The Health Plan’s Compliance Officer will serve as an integral part of The Health Plan’s Compliance Plan and act as the focal point for compliance activities. The Compliance Officer will have direct access to the President and Board of Directors of The Health Plan. The Officer will also be responsible for developing, operating and monitoring the Compliance Program. The Officer may delegate such responsibilities where appropriate. The Officer does not hold other responsibilities that could lead to self-policing of his activities. The Health Plan’s Compliance Officer is Tom Samol. Authority: The Officer has the following authority:
Interview or delegate the responsibility to interview the sponsor’s employees and other relevant individuals regarding compliance issues; Review company contracts and other documents pertinent to the Medicare and Medicaid programs; Review or delegate the responsibility to review the submission of data to Medicaid entities to ensure that it is accurate and in compliance with reporting requirements; Independently seek advice from legal counsel; Report potential FWA to CMS, its designee, or other required state entities or law enforcement; Conduct and/or direct audits and investigations of any FDRs; Conduct and/or direct audits of any area or function involved with Medicare Parts C or D plans; and Recommend policy, procedure, and process changes.
Roles and Responsibilities:
Overseeing and monitoring the implementation of the compliance program Report on a regular basis to the President, Corporate Compliance Committee (CCC) and Board of Directors. Periodically revise the compliance program in light of changes in the needs of the organization, and in law and policy procedures of governmental agencies 6
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Develop, coordinate and participate in multifaceted educational and training programs that focuses on the elements of the compliance program Coordinate internal compliance review and monitoring activities Develop policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation. Oversee the Special Investigation Unit.
Officer has the flexibility to design and coordinate internal investigations (e.g. responding to reports of problems or suspected violations) and issue any resulting corrective action (e.g. making necessary improvements to policies and practices and taking appropriate disciplinary action) working through the Compliance Program. Such activities may include but are not limited to:
Coordinating issues with the Human Resources Department and the Network Development/Provider Relations Department to ensure that the National Practitioner Data Bank, Cumulative Sanction Report, the OIG and GSA resources have been checked with respect to all employees, officers, directors and managers as well as first tier entities, downstream entities and related entities and providers to make sure they are not included on such lists restricting participation in Medicare Programs. Reporting any applicable fraud or misconduct to CMS, its designee and/or law enforcement Ensuring proper documentation is maintained for each report of potential fraud, waste or abuse received through any of the reporting methods (i.e. hotline, mail, in-person). Such documentation includes all corrective and/or disciplinary action(s) taken as a result of the investigation, the respective dates when each of these events and/or actions occurred, and the names and contact information for the person(s) who took and documented these actions. Overseeing the development and monitoring the implementation of corrective action plans. Independently investigating and coordinating potential fraud investigations/ referrals and where applicable, coordinating and cooperating with the appropriate MEDIC.
The Officer, as appropriate, collaborates with other sponsors, state Medicaid Programs, Medicaid Fraud Control Units (MCFUs), commercial payers, and other organizations when a fraud, waste or abuse issue is discovered that may involve multiple parties. Compliance Department The Compliance Department provides support to the Compliance Officer in promoting ethical conduct, instilling a company-wide commitment to Medicare and Medicaid compliance, and exercising diligence in ensuring the overall Medicare and Medicaid 7
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Compliance Program requirements are met. The Compliance Department is responsible for:
Representing The Health Plan before all applicable state and federal regulatory agencies on Medicare/Medicaid-related issues and serving as liaison for communications between the Company and the Centers for Medicare and Medicaid Services and other regulatory entities. Establishing the overall framework for the Compliance Program to promote compliance with applicable Medicare Advantage and Part D regulatory and legal requirements. Ensuring consistent and timely reporting of relevant compliance issues to the Compliance Officer. The Compliance Officer, in turn, reports compliance matters to the Compliance Committee and has authority to escalate issues to executive management and the Board of Directors. Assisting, advising and overseeing the individual business units and health plans in the design, administration, and implementation of their individual compliance work plans and policies. Establishing key performance measures, metrics, and reporting protocols as part of the organization’s audit and monitoring of key risk areas. Monitoring/auditing and reporting key compliance and performance metrics for the purpose of resolving identified patterns and trends, working with business units on internal corrective actions, and assessing the effectiveness of the Compliance Program.. Assessment of new risk areas based on information gathered from a variety of sources, including new CMS guidance, internal assessments, member complaints, CMS inquiries or other avenues; and recommending new or revised metrics, policies and procedures, enhanced training courses, or other activities that may be tracked and measured to demonstrate compliance. Reporting incidents of potential or identified non-compliance, and working with the applicable business units to implement appropriate and timely corrective actions that will result in measurable compliance. Developing relevant and effective compliance training programs that support the Compliance Program and build compliance awareness for employees, management and FDRs. Performing independent review and ongoing monitoring/auditing of identified risk areas, as well as monitoring of compliance or performance deficiencies; and ensuring effective corrective actions are implemented in a timely manner. Partnering with Internal Audit to have high-priority risk areas included in the Internal Audit annual work plan and to provide background and consultative guidance to Internal Audit on any audit topic involving The Health Plan’s MA or Part D contracts.
8
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Compliance Committee The Health Plan has established a compliance committee to advise and assist the Compliance Officer in the implementation of the compliance program. The committee will consist of members with relevant experience within The Health Plan and senior management. Roles and Responsibilities: The Committee’s responsibilities shall include: Meeting at least quarterly, and as necessary Analyze the industry environment, legal requirements with which it must comply and specific risk areas Assess existing policies and procedures that address these risk areas Work with appropriate departments to promote compliance Recommend and monitor the development of internal systems and controls to carry out The Health Plan’s standards, policies and procedures Determine the appropriate strategy/approach to promote compliance with the program and detection of any potential violations through hotlines and other fraud reporting mechanisms Supporting the Officer’s needs for sufficient staff and resources to carry out his duties Ensuring The Health Plan has appropriate, up-to-date compliance policies and procedures Reviewing and addressing reports of monitoring and auditing of areas in which The Health Plan is at risk of fraud, waste or abuse and ensuring corrective action plans are implemented and monitored. Governing Body The Health Plan Board of Directors establishes The Health Plan Audit/Corporate Compliance/Grievance Committee in accordance with The Health Plan Board of Directors By-laws. The purpose of this Committee is to work with external auditors during the annual audit and work with management for any audit requests from the Board; evaluate grievances, fraud, waste and abuse; and oversight of the corporate compliance program. The Committee’s responsibility is to provide advice and counsel to Management and to assist the Board of Directors in its oversight of financial audits, internal controls for finance, accounting, corporate compliance program, and ethics processes. The Committee will serve as an independent and objective party to monitor the organization’s financial reporting process, internal control systems and corporate compliance. The committee 9
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
will provide an open avenue of communication among the independent auditor, financial and senior management, the internal audit department, corporate compliance department, and the governing body. The Board of Directors will review and approve the Code of Conduct and compliance program no less than annually. The Board will also review any compliance issues or concerns of the Committee based upon their review of the compliance program. The Committee on behalf of the Board will provide oversight, but not limited to, the following areas:
Understanding the compliance program structure; Remaining informed about the compliance program outcomes, including results of internal and external audits; Remaining informed about governmental compliance enforcement activity such as Notices of Non-Compliance, Warning Letters and/or more formal sanctions; Receiving regularly scheduled, periodic updates from the compliance officer and compliance committee; and Reviewing the results of performance and effectiveness assessments of the compliance program.
The Health Plan Board of Directors delegates the authority for the development and implementation of the Corporate Compliance Plan to executive management and the internal Corporate Compliance Committee (CCC). These items include but not limited to:
Development, implementation and annual review of compliance policies and procedures; Approval of compliance policies and procedures; Review and approval of compliance and FWA training; Review and approval of compliance risk assessment; Review of internal and external audit work plans and audit results; Review and approval of corrective action plans resulting from audits; Review and approval of appointment of the compliance officer; Review and approval of performance goals for the compliance officer; Evaluation of the senior management team for the compliance officer; nd procedures; plementatio Review of dashboards, scorecards, self-assessment tools, etc., that reveal compliance issues.
10
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
EFFECTIVE TRAINING AND EDUCATION Training and education are important elements in The Health Plan’s overall compliance program. The Health Plan requires that Employees at all levels of the company complete mandatory Compliance and FWA training courses. The Compliance and FWA training must be completed within ninety (90) days of employment and must be repeated annually, unless otherwise noted. Training must include information regarding: 1. 2. 3. 4.
Code of Conduct General Compliance HIPAA Fraud, Waste and Abuse
Compliance Training for FDRs All first tier, downstream and related entities that provide services to Medicare Advantage and/or Part D enrollees are required to complete compliance and fraud, waste and abuse training. Contracted providers and FDRs have the option of taking The Health Plan Compliance and Fraud, Waste and Abuse training on-line via The Health Plan provider website, request a hardcopy version of the training, complete CMS’ online training or conduct their own training. Although some FDRs may be deemed to have met the requirements for the Medicare FWA training due to their enrollment into the Medicare Program, these deemed individuals must still receive general Medicare compliance training and specialized compliance training in connection with their job responsibilities. Tracking Required Compliance Training At The Health Plan, each member of management is responsible for ensuring their Employees complete all required compliance training. Required training courses are delivered electronically via the intranet, which tracks training completion rates by Employees and alerts Managers to any overdue training requirements. Through the attendance logs, training materials and test results are maintained for reference. Employees and Managers receive regular reminders of their training obligations, as well as personalized email remainders of outstanding compliance training requirements. Failure to complete required compliance training subjects Employees and their Managers to performance actions, up to and including termination of employment. 11
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
FDRs must maintain documentation, including attendance logs, training materials and testing results, of all employees, contractors and volunteers who have completed the trainings either provided by Centers for Medicare and Medicaid Services (CMS), The Health Plan through the website (www.healthplan.org) or their own equivalent training.
12
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
EFFECTIVE LINES OF COMMUNICATION The Health Plan works diligently to foster a culture of compliance throughout the organization by regularly communicating the importance of performing jobs in compliance with regulatory requirements and reinforcing the company expectations of ethical and lawful behavior. The Health Plan has systems in place to receive, record and respond to compliance questions, or reports of potential or actual non-compliance from Employees, Members, Providers and FDRs. The areas listed below are key to the Compliance Department communications strategy: The Health Plan Fraud, Waste and Abuse Hotline and Email Box The Health Plan Fraud, Waste and Abuse Hotline is a confidential, toll-free resource available to Employees, Members, Providers and FDRs twenty-four (24) hours a day, seven (7) days a week to report violations of, or raise questions or concerns relating to, non-compliance, fraud, waste and abuse. Employees, Members, Providers and FDRs may call: Health Plan Fraud, Waste and Abuse Hotline 1-740-699-6111 or 1-877-296-7283 or www.healthplan.org Calls and online forms may be provided anonymously. These communications are never traced or recorded. Anyone can make a report without fear of intimidation or retaliation. The Health Plan logs calls to the Health Plan Fraud, Waste and Abuse Hotline or online form complaints to ensure proper investigation and resolution of reported matters and to identify patterns and opportunities for additional training or corrective action. All calls to the Health Plan Fraud, Waste and Abuse Hotline are investigated by The Health Plan Compliance Department and/or Special Investigations Unit (SIU). The Health Plan educates Employees about the Health Plan Fraud Hotline and online form through: 1. 2. 3. 4. 5.
Fraud, Waste and Abuse Training The Employee intranet website Posters displayed in common work areas Health Plan Policies and Procedures Newsletters and emails 13
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Members, Providers and FDRs are educated regarding the Health Plan Fraud Hotline and online form through: 1. 2. 3. 4.
The Health Plan internet website The Fraud, Waste and Abuse Compliance training for Providers and FDRs Provider Newsletters and Updates The Health Plan Medicare Advantage Member Explanations of Benefits (EOBs)
Medicare SecureCareOps Committee This Committee has the responsibility to monitor all CMS publications, revisions, new laws and regulations that may affect the delivery of Part C and Part D services and communicate these changes to the appropriate operational areas affected.
14
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
WELL PUBLICIZED DISCIPLINARY STANDARDS The Health Plan, as part of the compliance program, has published the Code of Conduct, which established standards of compliance that all Employees, Directors, and Officers must follow. Every Employee, Director, and Officer is responsible for abiding by the Code of Conduct and for reporting any situation where he/she believes illegal or unethical compliance may have occurred. FDRs must also comply with standards The Health Plan has established or demonstrate that they have implemented similar standards of compliance. The Health Plan takes its commitment to the Code of Conduct very seriously and takes appropriate and immediate investigative and disciplinary action if anyone violates the Code of Conduct, Health Plan policies or the law. The Health Plan’s strong commitment to ethical values and compliance includes: Involvement of Chief Executive Officer, Senior Management and Board of Directors The President and Chief Executive Officer (CEO) of The Health Plan and the Board of Directors are involved in establishing Health Plan standards of Compliance. Enforcing Standards of Compliance The Health Plan policies provide specific instructions for handling reports of potential violations of company policies, administrative rules, regulations, or law. Any Health Plan Employee who suspects a potential violation of policy or law is required to report the matter to any of the following: 1. 2. 3. 4.
Their department supervisor or manager The Director of Compliance The Health Plan Fraud, Waste and Abuse Hotline Online at www.healthplan.org
The Health Plan does not tolerate intimidation or retaliation against Employees who report potential violations in good faith. A description of The Health Plan policy on nonintimidation/non-retaliation is found in the Code of Conduct, and is reinforced in a number of policies, procedures, guidelines, and training materials. Publicizing Disciplinary Guidelines All Health Plan Employees are informed that violations of the Code of Conduct, Health Plan policies, regulations or laws may result in appropriate disciplinary action, up to and 15
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
including termination of employment. Disciplinary and Sanction policies are posted on the intranet for all Employees located in the Employee Handbook.
16
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
EFFECTIVE SYSTEM FOR ROUTINE MONITORING AND IDENTIFICATION OF COMPLIANCE RISKS Monitoring and auditing are critical elements in the Compliance Program. Compliancerelated elements are used to develop metrics for evaluating performance against regulatory standards. Monitoring and auditing allows The Health Plan to identify areas that require corrective action in order to achieve compliance with specific regulatory requirements. This process of self-identification and corrective action, along with monitoring that such actions are effective, is a key element of our program. Auditing and monitoring activities are determined through an annual risk assessment that reviews program risk areas, establishes metrics for self-reporting and self-audits from the operational areas, requires corrective actions for areas found to be non-compliant, and requires corrective actions be taken to address identified risks. Compliance risks are separately reviewed through a variety of oversight activities, including:
Medicare Compliance Department Audit General Internal Audits Department and/or Business Unit Self-Audits and Monitoring Third Party Data Validation Audits Monitoring and Auditing of First Tier, Downstream and Related Entities (FDRs) o Including PBM oversight monitoring and audits o Including audit of other FDRs Special Investigations Unit Monitoring, Audits and Investigations Auditing by regulators or other external parties
The various components that make up The Health Plan monitoring and audit activities include: Medicare Monitoring and Audit Work Plan Annually, the company prepares a work plan outlining the planned compliance activity for the coming year. The plan is submitted to Executive Management for approval during the last quarter of the year for the coming year. The work plan for compliance auditing includes: 1. Audits to be performed; 2. Audits scheduled for the year, including start and end dates; 3. Number of first tier entities being audited and how they were chosen (may perform risk assessment to determine sample) 4. Announced or unannounced audits; 5. Audit methodology; 6. Necessary resources; 17
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
7. 8. 9. 10. 11.
Types of audit: desk or onsite; Person(s) responsible; Final audit report due date; Follow-up activities from findings; Process for responding to audit results and for conducting follow-up reviews of non-compliance to determine if the corrective actions are successful.
In addition to planned audits, ad hoc audits shall be incorporated as needed. Medicare Compliance Audits The Compliance Department audits business unit operations as part of its overall program to identify and mitigate compliance risks. The Compliance Committee performs an annual risk assessment using data and information from a variety of sources, which may include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Regulatory risks based on CMS guidance Risks as identified in the OIG work plan Audit findings from CMS Notices of Non-Compliance from CMS Complaints filed with CMS (CTMs) Complaints related to sales and marketing issues Secret Shopper issues and findings identified by CMS Audit findings from business unit self-audits Identified high risk areas Corrective Action Plan monitoring Member “touch points” such as Appeals & Grievances, Claims, Member Services, Enrollment/Disenrollment, and Premium Billing
The result of the risk assessment drives the development of the Compliance Department’s annual work plan for oversight audits. The Compliance Department may modify its audit work plan based on issues that arise within the organization, focusing on high risk areas to confirm effective corrective actions were taken based on detected areas of noncompliance or compliance risks. Medicare Compliance audits are based on regulatory guidance and, depending on the department being audited, may rely on CMS guidance outlined in the: 1. 2. 3. 4.
The Medicare Managed Care Manual The Medicare Prescription Drug Benefit Manual The CMS Monitoring Guide Other applicable CMS guidance and publications
18
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
Similar to the process CMS uses in its audits, the Compliance Department prepares reports of any findings and works with any audited department(s) or entity to develop any needed corrective action plans. The audit reports and corrective action plans are reported to the Compliance Director, and the Corporate Compliance Committee. In turn, the Compliance Director may also report the audit findings and corrective action plan to the Senior Leadership and/or the Board of Directors as needed. Third Party Validation Review Audits The Health Plan may contract with independent third parties to audit processes and operations against CMS standards and requirements. The results of the third party audits are reported to Senior Management, the Director of Compliance, the Corporate Compliance Committee, CEO and the Board of Directors. Monitoring and Auditing of First Tier, Downstream, and Related Entities (FDRs) The Health Plan contracts with various parties to administer and/or deliver Medicare Advantage and Part D benefits. These first tier parties and their downstream contractors must abide by specific Health Plan contractual and regulatory requirements. Various Health Plan departments are responsible for overseeing the ongoing compliance of the FDRs including, but not limited to: 1. 2. 3. 4. 5. 6. 7.
Credentialing Pharmacy Provider Network Accounting Medicare Operations Medicare Sales SIU
The Health Plan will perform internal auditing and monitoring and external audits, as appropriate, to evaluate the FDRs compliance with CMS requirements as well as overall effectiveness of the compliance program. FDR audit selection criteria consists of a risk assessment to identity the highest risk FDRs so that a reasonable number will be selected to audit from the group(s) that pose the highest risk. Special Investigations Unit Monitoring, Audits and Investigations (Fraud, Waste and Abuse Issues) The Health Plan Special Investigations Unit (“SIU”) is responsible for investigating issues of possible Medicare fraud, waste and/or abuse. The SIU also develops and 19
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
implements training and awareness programs to promote commitment to ethical compliance for all Employees, contracted Providers, and FDRs. The SIU is the focal point for FWA investigations and works with the Medicare Drug Integrity Contractor (“MEDIC”), law enforcement and other agencies, as required. The SIU employs analytical data mining to identify referral patterns, possible payment errors, utilization trends and other indicators of potential fraud, waste, and abuse. Results of SIU investigations are reported to the FWA Committee, the Director of Compliance, and the Compliance Committee. Auditing by Federal Agencies or External Parties The Health Plan views regulatory audits and reviews as an opportunity to confirm that our ongoing compliance efforts, supported by the Board, are effective and successful. In cases where an audit outcome indicates we have not met a regulatory requirement, The Health Plan will use the audit findings to perform root cause analysis and develop corrective action plans to address identified areas of non-compliance. The Health Plan may also contract with external companies to perform compliance related reviews and assist with programmatic changes to help drive compliance. The Health Plan cooperates with federal agencies and external parties when audits are completed and provides auditors access to information and records related to business processes and those First Tier, Downstream and Related Entities. The Health Plan allows access to all documentation and records for audits and maintains all records for ten (10) years. The Compliance Department serves as the point of contact for all audits related to the Medicare Advantage and Part D programs and coordinates auditor requests with all internal departments. Staff from other Health Plan departments are charged with coordinating state audits or reviews, and the Compliance team may assist in those. Sales Agents & Broker Monitoring and Auditing Sales Agents and Brokers are monitored by the Marketing Department and audited through review of member complaints, secret shopping, review of company websites for unapproved advertising, ride-alongs, review of exclusion databases, disenrollment rates, and review of DOI complaints or licensure issues by the Compliance Department. Complaints against a Sales Agent may be received through a variety of sources including beneficiary complaints filed with CMS, the CMS regional office, Member Call Center, Customer Service Department, Medicare Compliance, the hotline or through the Appeals and Grievance Department. An “at fault” finding requires The Health Plan to implement prompt corrective action with the Sales Broker, such as re-training, re-testing or ride20
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
along, or it may involve specific sanctions such as suspension of sales production, or termination of employment or the Broker Agreement.
21
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
PROCEDURES AND SYSTEM FOR PROMPT RESPONSE TO COMPLIANCE ISSUES The Health Plan takes corrective actions whenever there is a confirmed incident of noncompliance. The Health Plan may identify the incident of non-compliance through a variety of sources, such as self-reporting channels, CMS audits, internal audits, hotline calls, external audits, regional collaborative work groups or member complaints, either directly to the Plan or through CMS. Whenever The Health Plan identifies an incident of non-compliance or fraud, waste and abuse, it is followed through the risk assessment process. The Director of Compliance (in conjunction with Compliance Department, SIU and other key staff) is responsible for reviewing cases of non-compliance and, when applicable, for disclosing such incidents to CMS. Because of the complex nature of some of the cases that may be involved, particularly fraud investigations, the Director of Compliance may delegate all or a portion of this responsibility to the appropriate internal expert, for example to the SIU, for the detailed reporting to the MEDIC or law enforcement. Any time an incident of non-compliance is discovered or a department’s process or system results in non-compliance with CMS requirements, the business area is required to submit a Corrective Action Plan (CAP) to the Compliance Department. A CAP represents a commitment from the business unit to correct the identified issue in a timely manner. Corrective actions may include revising processes, updating policies or procedures, retraining staff, reviewing systems edits and other root causes. The CAP must achieve sustained compliance with the overall CMS requirements for that specific operational department. The status of open Corrective Action Plans is reported to the Director of Compliance and the Compliance Department on a monthly basis or a frequency determined by the Compliance Director. The Compliance Department monitors Corrective Action Plan implementation and requires that the business department regularly report the completion of all interim action steps. Once a CAP is complete, the Compliance Department will validate by auditing individual action items over a period of time to demonstrate sustained compliance was achieved, and the CAP was effective. The Compliance Committee is charged with reviewing ongoing activity to ensure that CAPs being undertaken are timely and effective and to report ongoing non-compliance risks to Senior Management. The Health Plan delegation and vendor oversight of FDRs includes a requirement that they submit a Corrective Action Plan when deficiencies are identified through oversight compliance audits, ongoing monitoring or self-reporting. The Health Plan takes appropriate action against any contracted organization that does not comply with a CAP 22
The Health Plan Corporate Compliance Plan 10/2014 Reviewed 1-2011, 1-2012, 3-2013, 10-2014
or does not meet its regulatory obligations, up to and including termination of their agreement. The FDRs are delegated to perform specific administrative or plan functions. They are bound contractually through written agreements with The Health Plan that stipulate compliance with CMS requirements and provisions for removal of delegation or termination for failure to cure performance deficiencies. The Health Plan Compliance Program Plan is effective in promoting compliance, and controlling fraud, waste and abuse at both the sponsor and FDR levels in the delivery of Parts C and Part D, benefits to Medicare beneficiaries as well as Medicaid and other members covered by The Health Plan. Policies and Procedures associated with this Corporate Compliance Plan further expand the activities and oversight of the program.
23
The Health Plan Code of Conduct Attachment A The successful business operation and reputation of The Health Plan is built upon principles of fair dealing and ethical conduct of our employees. Our reputation for integrity and excellence requires careful observance of the spirit and letter of all applicable laws and regulations, as well as a scrupulous regard for the highest standards of conduct and personal integrity. The continued success of The Health Plan is dependent upon our customers' trust and we are dedicated to preserving that trust. Employees owe a duty to The Health Plan and its customers to act in a way that will merit the continued trust and confidence of the public. The Health Plan will comply with all applicable laws and regulations and expects its directors, officers, and employees (i.e. interns, temporary employees, volunteers, external committee members), contractors, and FDRs to conduct business in accordance with the letter, spirit, and intent of all relevant laws and to refrain from any illegal, dishonest, or unethical conduct. Requirements of each employee, officer, and director:
Employees, officers and directors must conform to all laws that apply to business of The Health Plan wherever it is conducted.
Employees, officers and directors will conduct activities with integrity and honesty.
Employees, officers and directors must display good judgment and high ethical standards in business dealings. All Health Plan business affairs must be conducted with honesty, fairness and integrity. These qualities are evidenced by truthfulness and the absence of deception or fraud. Special attention should be paid to dealing with providers where payment is involved and to all coding matters. It is important to understand the legal and ethical position of The Health Plan and its employees to avoid concerns regarding fraud and abuse arrangements or practices.
Employees, officers and directors must not knowingly create, maintain or submit records, reports or statements that are inaccurate, false or misleading. No undisclosed or unrecorded funds or assets can be established. All items of income and expense and all assets and liabilities must be entered in the financial records and must be accurately and adequately described. All reports submitted to governmental authorities must be accurate and complete and all transactions shall be executed in accordance with management’s authorization.
All confidential information will not be disclosed to unauthorized people. Employees, officers and directors will not use confidential information in a way that is not related to The Health Plan’s business activities during or after their employment. Confidential information cannot be given to competitors, suppliers, or contractors or to other employees who do not have a legitimate need to know.
Employees, officers and directors must not participate in activities that could conflict or appear to conflict with their responsibilities to The Health Plan. Employees, officers and directors may not realize any profit or gain as a result of their position with The Health Plan other than normal compensation from The Health Plan. A conflict of interest occurs if their
1
The Health Plan Code of Conduct Attachment A activities or responsibilities are detrimental to the interest of The Health Plan or result in improper or illegal personal gain.
No employee, officer or director of The Health Plan or any member of their family can receive gifts, loans or other special preferences from a person or organization that does or wants to do business with The Health Plan or is a competitor of The Health Plan. The only exception is gifts of limited value extended as a business courtesy.
Employees, officers and directors must not provide gifts, loans or other benefits to a provider, potential member or client to obtain referrals or beneficial arrangements or as an inducement to enroll in The Health Plan.
Gifts to physicians, clients, members or potential members are appropriate only if the monetary value is modest; the benefit is part of marketing, educational or other ordinary business activity; and the benefit does not violate any applicable law. Occasional business meals or entertainment events are acceptable provided they are of reasonable cost and the business purpose is clearly documented. In the case of Medicare and Medicaid beneficiaries such will not exceed the values set forth in regulations.
Employees, officers and directors may not use The Health Plan funds for improper or illegal activities. There will be no payments to government officials to secure sales or obtain a favorable treatment. Gifts to or entertainment of government officials or employees are prohibited because these actions could be construed as attempts to influence government decisions.
It is the duty of all employees, officers, directors and contractors of The Health Plan to report any suspicious, illegal, or unethical activities or possible conflicts of interest of themselves, employees, contractors, agents and of others to The Health Plan Compliance Officer.
It is the duty of all employees, officers, directors and contractors to self report any conviction of, or charged with, a criminal offense related to health care, or if they have been listed by a federal agency as debarred, excluded or otherwise ineligible for participation in federally funded health programs.
It is the duty of all employees, officers, directors and contractors of The Health Plan to complete the company’s Compliance and Fraud, Waste & Abuse training annually. New employees, officers, board or committee members must complete such training within 90 days of initial hire or appointment.
In general, the use of good judgment, based on high ethical principles, will guide you with respect to lines of acceptable conduct. If a situation arises where it is difficult to determine the proper course of action, the matter should be discussed openly with the immediate supervisor and, if necessary, with the Human Resources Department or Compliance Officer for advice and consultation. The Health Plan ensures that employees and contractors may report or assist in investigation of suspected illegal acts or improper conduct without threat of negative consequences.
2
The Health Plan Code of Conduct Attachment A
No retaliation, reprisals or disciplinary action will be taken or permitted against Health Plan employees, officers, directors or contractors for good faith participation in the Compliance Program, including but not limited to reporting potential issues to appropriate authorities, cooperating in the investigation of suspected illegal activities or improper conduct, and conducting self-evaluations, audits and remedial actions.
Failure to abide by this prohibition against retaliation or reprisals is a violation of this Code of Conduct, and may be a violation of Federal and/or State law, i.e. False Claims Act.
Compliance with this policy of business ethics and conduct is the responsibility of every Health Plan employee. Disregarding or failing to comply with this standard of business ethics and conduct could lead to disciplinary action, up to and including possible termination of employment. Each employee, officer and director shall be required to read and acknowledge this Code of Conduct on an annual basis by way of the certification statement below. ************************************************************************************* I hereby certify that: I have read, understand and agree to abide by The Health Plan’s Code of Conduct. I have not been convicted of, or charged with, a criminal offense related to health care, nor have I been listed by a federal agency as debarred, excluded or otherwise ineligible for participation in federally funded health programs. I agree to report suspected violations of any Federal and/or State laws, regulation, the Code of Conduct or the FWA Plan to my supervisor or the Compliance Department. I understand that any violation of any Federal and/or State laws, regulations, the Code of Conduct, the FWA Plan or any other Health Plan compliance policy or procedure is grounds for disciplinary action, up to and including discharge from employment. Unless otherwise noted in the space immediately below, I am not aware of any possible violations of any Federal and/or State laws, regulation, the Code of Conduct or the Anti-Fraud Plan at this time. EMPLOYEE’S NAME: (printed) ______________________________________________________ EMPLOYEE’S SIGNATURE: ________________________________________________________
DATE: ____________________________________
Revised 11/1/2014
3
