March 19, 2007

Failing Grade for Medicare Advantage and Prescription Drug Plan Compliance Programs

Holland & Knight Alert
Christopher A. Myers

The Office of Inspector General Warns of Increasing Enforcement CMS to Audit Compliance Plans Beginning January 2007

Medicare Advantage Plans (MA Plans) and Prescription Drug Plan Sponsors (PDP Sponsors) are required to have compliance plans that include detailed procedures for disclosing misconduct to the government. Yet simply establishing compliance programs that contain the required elements established by the Centers for Medicare and Medicaid Services (CMS) will not be sufficient for a passing grade. Instead, the government is now increasingly failing Part C and D plans that cannot show evidence that the organizations have effectively integrated their compliance programs into their core business operations.

Part D Plans Getting Fs: OIG Compliance Program Audits

Before the government becomes involved, organizations need to establish comprehensive compliance programs. The Office of Inspector General (OIG) recently audited all of the PDP Sponsors’ compliance plans and found that 72 of the 79 did not meet the compliance program requirements established by CMS. Surprisingly, the two top deficiencies were among the most obvious requirements:

1) failure to designate a compliance officer and compliance committee

2) lack of procedures for internal monitoring and auditing

The OIG reported that:

These elements are essential to the implementation of a successful compliance program. Compliance officers are focal points for the organizations’ compliance activities and compliance committees assist in compliance program implementation. Ongoing auditing and monitoring is a critical process that enables organizations to identify and respond to compliance issues timely and to review whether compliance plan elements are functioning appropriately.1

The government has made it increasingly clear – organizations that receive federal funds must have a comprehensive and effective compliance program in place, use due diligence to prevent and detect wrongful conduct, and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The government has repeatedly demonstrated, through enforcement actions, its insatiable appetite for addressing health care budget concerns through the pursuit of health care fraud recoveries. This commitment is reflected by significantly increased budgets for fraud investigations over the next several years.

Government Actions in Response to Compliance Deficiencies

Failure to comply with the government’s new mandates and increased scrutiny may have far-reaching consequences for plans and sponsors. For example, organizations that do not have an effective compliance program may face among others, any or all of the following sanctions:

  • suspension or exclusion from participating in the Medicare, Medicaid or other federal programs
  • preclusion from enrolling new beneficiaries
  • denial or recoupment of payments on behalf of beneficiaries already enrolled in their plans
  • potentially extreme fines

Compliance programs that once may have been voluntary have become a mandate, the violation of which may cause severe penalties. In addition to the CMS penalties above, organizations without an effective compliance program may find themselves subjected to enforcement actions, massive investigation costs and extreme fines for failing to prevent, detect and remedy internal misconduct. For example, the Department of Justice (DOJ) has entered into numerous multimillion dollar settlements of qui tam (whistle-blower) cases under the False Claims Act alleging that a managed care or health insurance organization violated fraud and abuse laws. The whistle-blowers in similar actions against pharmaceutical manufacturers have in many cases received tens of millions of dollars for their part in reporting the alleged misconduct, a strong inducement for future whistle-blowers in new areas of OIG concern, such as managed Medicare and Part D.

Very recently, the DOJ announced another settlement of a qui tam False Claims Act action against RightCHOICE Managed Care, Inc., in which RightCHOICE paid $975,000 to settle the allegations of fraud. In announcing the settlement, Justice Department officials warned all health care entities that receive federal funds that the Department is committed to protecting the health care system from what it perceives as substantial fraud and abuse. Health care providers, health plans, MA plans and PDPs should view the settlements as a reminder of the need to implement fully their own compliance programs to prevent false claims or other improper payments, and to manage problems before they turn into enforcement actions.

Areas of recent enforcement by the OIG and CMS include:

  • reviewing materials and personnel for compliance with CMS marketing guidelines
  • challenging selective marketing practices based on health status or usage, a practice known as “cherry picking”
  • investigating alleged inappropriate incentives to beneficiaries and providers for enrollment, disenrollment, underutilization and failure to meet quality of care standards
  • alleging violations of the anti-kickback statute and other improper marketing and enrollment inducements
  • failures to establish appropriate records retention and destruction policies
  • policies to ensure beneficiary access to emergency services

These are just a few of the areas in which an organization’s compliance officer and compliance committee should be involved in conducting risk assessments; setting priorities; creating policies; training the organization’s board, management and employees; monitoring for compliance; and providing corrective actions when misconduct is discovered. In other words, the compliance program must be fully integrated into the operations of the organization and its activities fully documented.

CMS’ Response to the OIG and Recommendations on Compliance Programs

In response to the OIG’s audit, CMS has announced that it will conduct regular audits of MA organizations’ compliance plans beginning in January 2007. In preparing for these audits, we recommend that organizations, at a minimum, need to confirm that their compliance plans contain and have implemented the following eight elements:

1) written policies, procedures and standards of conduct that articulate the organization’s commitment to comply with all applicable federal and state standards

2) a compliance officer and compliance committee that are accountable to senior management

3) training and education of the organization’s employees

4) effective and frequent communication on compliance issues

5) enforcement of standards through well-publicized disciplinary guidelines

6) procedures for internal monitoring and auditing

7) procedures for ensuring prompt response to detected offenses and development of corrective action initiatives

8) a comprehensive fraud and abuse plan that includes procedures to voluntarily self-report potential fraud or misconduct related to the Medicare Part D program to the appropriate government authority

These CMS requirements are a good starting point for the development of an effective compliance program. Companies that want to ensure the most protection from their programs should also consider designing them around the framework outlined by the United States Sentencing Commission in its comprehensive guidance on compliance programs. In addition to documenting the CMS required elements of their compliance programs, organizations should also be prepared to demonstrate how their programs have promoted an organizational culture that encourages ethical conduct and a commitment to compliance with the law. It should be further demonstrated that the compliance program has been fully implemented, with the full support of senior management and the board. The government is no longer satisfied with compliance plans that simply restate and regurgitate the regulatory requirements. There must be evidence that the plan, and the culture that supports it, is being incorporated into the organization’s business operations.


In anticipation of future audits and increased enforcement efforts in this area, MA Plans and PDPs should carefully examine their existing compliance operations. Risk assessments should be objectively designed and carried out to prioritize compliance activities. “Paper programs” with nicely written manuals, but little real commitment, will no longer pass muster. After more than a decade of serious investigatory and enforcement action against providers, pharmaceutical companies, and recently, device makers and suppliers, the government has become sophisticated in its ability to analyze compliance programs, and is highly motivated to show serious returns on its investment, not simply to ensure lawful behavior, but also to help fund under-funded health care programs.

No matter how well-intentioned, companies can no longer hold once a year compliance training and contend that their compliance programs are effective. The government auditors expect to see evidence of an organization’s “culture of compliance,” including regular involvement of the compliance department in sales, marketing and other business activities. An effective compliance program should help to guide management and employees through the complex maze of the health care regulatory system. It should be proactive and helpful, and not be viewed as the “police.” An effective program will not just sit back and wait for the whistle-blowers to call – it will help to give them a reason not to call in the first place.

1 OIG’s full report can be found at Prescription Drug Plan Sponsors’ Compliance Plans (OEI-03-06-00100),

OIG’s full report can be found at Prescription Drug Plan Sponsors’ Compliance Plans (OEI-03-06-00100),

Related Insights