New Versus Old CMS Protocols and How to Plan for Mock Audits

By Yvonne Zachman Fiedler & Alexander Henrichs
Tue, Oct, 15, 2019

Even though CMS has delayed for a year when it will implement its new audit protocol for Medicare plans, now is the time to map out a proactive strategy and develop a budget to include conducting a CMS mock audit. Doing so will significantly reduce your plan’s compliance risks.

What is a mock audit?

A CMS mock audit is a practice run against the published CMS protocol to see how the health plan performs. This includes using the CMS protocols a CMS auditor would use to review the appropriate Medicare plan data and identify specific areas where that plan is at heightened risk for being deemed in violation of CMS requirements. Some plans conduct these activities internally but many choose to have an outside expert conduct the audit on their behalf. Mock audit findings are presented as a detailed report so organizations have a clear understanding of areas they should address before the actual CMS auditors come on site.

Gaining insight from a qualified outside expert is key to accurately identifying and understanding your plan’s specific risk areas so your organization can develop a clear plan of action to reduce compliance risks prior to the actual audit. It is especially important to plan and budget for a mock audit whenever CMS makes major modifications to its audit protocol, which generally occurs once every five years. That’s because new protocols issued by the agency significantly increase a health plan’s CMS audit compliance risks.

Why consider a mock audit now?

CMS had originally been scheduled to implement its new audit protocol starting with audits conducted in 2020. However, the agency announced in August 2019 that it would extend its original 2016 collection request requirements, with minor revisions, until 2021. This was primarily due to the large number of industry comments the agency received concerning its proposed collection request issued in April 2018. (CMS now plans to issue an updated collection requirements request sometime in the coming months, for implementation starting with 2021 audits.)

In its August 2019 announcement, the agency also provided more clarity for health plans regarding specific data collection and submission requirements under the current protocol. The changes were minimal and clearly stated. This clarification should assist health plans that receive notices that they will be audited in 2020 to clearly understand the agency’s expectations.

While this reprieve is temporary, it does mean that any Program Audits conducted in 2020 will fall under the updated 2016 protocols. Here are some tips for making sure your organization will be prepared for a program audit in 2020, or beyond once the new CMS audit protocol is in place:

  • Think about your budgeting needs and submit your budget requests in advance so you can plan on conducting a mock audit based on the updated 2016 protocol requirements.
  • A good rule of thumb is to plan on conducting an independent, third party mock review of your organization at least every few years. This will keep your staff audit ready, allow you to proactively correct any identified non-compliance, and potentially self-report to CMS.
  • Make sure your IT department is in the loop and appropriately staffed and provided resources to do any data pulls that will be needed as part of the mock audit, in addition to the actual CMS audit.
  • Make sure you work closely with your outside vendors, especially your PBM, in order to receive claims and other data to be used as part of the mock audit. It’s advisable to review your PBM contract to determine what mock audit capabilities your PBM can provide and the kind of timing and advance notice that may be involved.
  • Be sure your internal departments with whom your compliance team and outside firm works are aware of their roles and understand the importance of meeting deadlines for deliverables associated with conducting the mock audit.
  • While there might be temptation to conduct a mock audit using the draft protocols, this is not be recommended. That’s because any new or changed processes in place for pulling universes together would need to be overhauled once the agency’s draft protocols are updated and finalized.

Planning to conduct a mock audit with the help of a reputable, experienced outside firm is the most effective and proven way to reduce your CMS compliance risks. Additionally, the benefits of conducting mock audits go beyond reducing compliance risk and include learning how to operationalize and implement best practices across your organization.