Health Ethics Trust – Best Practices Forum October 21 – October 22, 2013 Edward Stubbers WellPoint Medicare Programs Compliance Officer / VP Medicare Compliance
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
1
Table of Contents – WellPoint’s Medicare Programs
External Audit Process
Pages 3 - 9
Risk Management Process
Pages 10 - 22
First tier, Downstream & Related Entities Oversight Program
Pages 23 - 30
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
2
WellPoint’s Medicare Programs
External Audit Process
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
3
Overview – External Audit Process Audit Readiness Tools • Comprehensive tools and resources are developed and shared with Medicare Programs business areas to ensure audit readiness.
Risk Assessment • Potential risks are assessed and areas requiring additional action are identified for follow up to ensure successful outcomes.
Consistent Methodology and Tracking • Implement a cohesive approach and consistent course of action to the management of external audits.
Internal Corrective Action Plan (CAP) • Proactively identify the root cause of any identified noncompliance and implement corrective action.
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
4
Audit Readiness Tools • Tools
and Resources support audit readiness across WellPoint’s Medicare Programs division. Standard Templates
Audit Resources
• Used for Communication, Meeting agendas, Audit responses. • Readily recognized by all business and operations areas, facilitating prompt responses.
• Includes the Audit Playbook and Audit Interview Preparation Guide. • Provide Medicare Programs Business partners with tools designed to help them proactively understand the audit process and how to be audit ready.
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
5
Risk Assessment • Tools used to assess risk include: – OIG’s annual work plan – CMS’ annual Program Audit Process and Protocols – CMS’ bi-annual Best Practices memos
• Ensure impacted/implicated areas can easily understand the regulatory/audit requirements prior to CMS audits through: – Enhanced communication process – Targeting process – Simplification process
• Potential risks are assessed and areas requiring additional action are identified for follow up to ensure successful outcomes. COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
6
Consistent Methodology and Tracking • The following steps are taken with each audit: – Audit Notification Distributed Timely – Central Electronic Repository Created – Kick Off Meeting Held Promptly – Weekly Status Meetings – Pre-audit Checklist for Onsite Audits – Comprehensive, Multi-level Quality Reviews – Cross Training of Medicare Compliance Staff and Business Staff – Lessons Learned Sessions Held Following all Audit Activity
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
7
Internal Corrective Action Plan (CAP) A Four Step CAP process was implemented: Problem Identified
Direct communication with Business
Monitoring & Reporting
Attestation
• Problem Identified: An innovative form tracks compliance gaps. • Direct Communication with Business: Ensures all aspects of findings/observations are addressed appropriately. • Monitoring & Reporting: Periodic follow ups ensure noncompliance does not reoccur and allows for easy ad hoc reporting and trend analysis. • Attestation: Executive leadership attests that all actions are accurate and will be executed as stated.
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
8
Results – External Audit Process • A reliable strategy to successfully and efficiently manage regulator audits and mitigate risks. • Notable results include the following: – Successful management of 17 external audits in the past 12 months, resulting in fewer findings and increased audit readiness across Medicare Programs. – The coordination, quality review, and packaging of 19,311 deliverables submitted in the past 12 months with 100% timely submission. – High praise from CMS and auditing contractors on the efficiency, quality and organization of documentation provided as a result of the Process. – Improved business processes and audit readiness across Medicare Programs. – Accessible real-time trending of audit results and business impact across Medicare Programs. – Significant decline in the number of CAPs received from audit activity. – Annual decline in the number of plans with Low Star Ratings.
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
9
WellPoint’s Medicare Programs
Programs Risk Management Process
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
10
Overview – Risk Management Program Continuous Risk Analysis & Formal Risk Assessment • In-depth assessment of all Medicare departments and Shared Services in conjunction with the Internal Audit Department.
Quarterly Risk Register • Risk and mitigation evaluations using an internally developed risk analysis tool.
Business-Level Compliance & Risk Mitigation Plans • Detailed Compliance Plan developed and maintained by each business area supporting Medicare Programs.
Focused Reviews & Data Analysis • Robust monitoring of key departments and functions to help ensure controls, processes, procedures, and oversight of risk is effective.
Continuous Risk Analysis
Risk Management Flow
Formal Risk Assessment
Quarterly Risk Register
Compliance & Risk Mitigation Plans
Focused Reviews & Data Analysis
Continuous Risk Assessment Other Indicators of Risk
Prior correcMve acMons
CompeMtor CMS Enforcement LeOers WellPoint IdenMfied Compliance Risks and Issues
FWA & FDR
Prior Internal Audit Findings
Risks Assessment Examples of Inputs
Business and System changes Business metric trending
CMS comments and Audit Findings
Management Input
Changes in regulatory environments
Formal Risk Assessment • In conjunction with regular monitoring, a formal risk assessment is conducted at mid-year and year-end. The results are utilized to develop the annual Focused Review/ Audit schedule. – Additionally, the results of the risk assessment drive the Risk Register and Business-Level Compliance Plans
• The Compliance team regularly reevaluates and reprioritizes the Focused Review/Audit schedule. • All changes to the Focused Review/Audit schedule are presented to leadership during the Medicare Programs Compliance Committee (MPCC).
Quarterly Risk Register • A quarterly assessment tool utilized by each Medicare business leader to capture potential issues. • The Risk Register has four (4) steps:
Identify & Capture Risk
Assess & Evaluate Risk
Develop Strategy to Effectively Mitigate Risk
Monitor and Report on Effectiveness of Mitigation Strategies
• The Risk Register utilizes a ranking system to capture the potential impact of each identified risk, as well as the status and effectiveness of the mitigation plan.
Quarterly Risk Register - Continued Risk Rankings Potential
Significant
• Still under review, but has potential for operational, financial or compliance impact.
• Noticeable operational, financial, or compliance impact. • Includes any member impact or abrasion.
Catastrophic • Substantial operational, financial, or compliance impact. • Includes larger member impact or abrasion.
Mitigation Rankings Adequate
Enhancements Needed
• Steps to mitigate the identified risk are adequate and on track for timely resolution.
• Steps to mitigate the identified risk need to be improved.
Quarterly Risk Register - Continued • All risks are reviewed by leadership and presented to the Medicare Programs Compliance Committee by Compliance. • The Medicare Programs Compliance Committee is accountable for reviewing and approving the Risk Register report and applicable mitigation plans. • Periodic updates are provided to leadership and the Medicare Programs Compliance Committee on the progress and effectiveness of Risk Mitigation Plans and Activities.
Business-Level Compliance & Risk Mitigation Plans • Each business area supporting Medicare Programs is required to develop and maintain a detailed Compliance and Risk Mitigation Plan specific to their work processes. • The purposes of these Plans are: To set forth business area specific principles, policies, and procedures. To detail risks impacting the business area’s compliance, if not effectively managed. To track, monitor, and report current compliance issues. To provide an overview of the mitigation strategy, milestone dates, and impact level.
• Each business area presents their Compliance and Risk Mitigation Plan to the MPCC for review and approval at a minimum annually. • Updates are provided throughout the year to the MPCC with a status of the risks and mitigation strategies.
Focused Reviews & Data Analysis • Medicare Compliance coordinates with Internal Audit to ensure efficiency and to avoid duplicating efforts. • Focused Reviews are designed to confirm that processes and procedures are in compliance with CMS requirements, while also looking for opportunities to improve performance/compliance & reduce risks. • Findings from the Focused Reviews are reported to Medicare Programs leadership, as well as the Medicare Programs Compliance Committee. • Compliance requires all moderate and high risk items identified during the Focused Reviews to be added to the quarterly Risk Register.
Focused Reviews & Data Analysis - Continued • Most Focused Reviews utilize a data analysis tool to perform trending on large data sets. • Majority of data analyses are performed on a monthly basis, some are continuous and result in both increased efficiencies and a more robust risk analysis. • Data Analysis has been utilized to identify: Claim recoupment Abnormalities in Grievance and Appeal volumes Enhancements to Enrollment and Disenrollment queues
Focused Review- Example 1st Quarter Late Enrollment Penalty (LEP) Timeliness Review
2nd Quarter
3rd Quarter
4th Quarter
Customer Service Call Center Review
System Security Access Review
Prior AuthorizaMon Review
Grievance & Appeals Timely Dismissals Review
Quarterly Claims Data Analysis & Ad Hoc Reviews
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
21
Results – Risk Management Program • A measurable and positive impact on the overall compliance status of WellPoint’s Medicare Programs. •
Notable results include the following: – Since 2012, the Risk Register process has captured and tracked over 40 risks and associated mitigation plans. – Starting in 2012, 16 Medicare Programs business units have implemented detailed Compliance and Risk Mitigation Plans, approved by the MPCC. – Since 2010, 21 Focused Reviews have been performed, resulting in the identification and remediation of 66 issues and 32 process enhancements. – The Data Analysis process has helped WellPoint’s Medicare Programs identify significant financial savings of more than $340,000 over the past two (2) years through enhanced claims controls and procedures.
WellPoint’s Medicare Programs
First tier, Downstream & Related Entities Oversight Program
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
23
Overview – FDR Oversight Program Communication & Training • Various methods of publications and trainings help to educate FDRs on compliance requirements and expectations.
Monitoring & Auditing • Comprehensive tools developed to monitor and audit FDRs to ensure compliance with applicable laws and regulations.
Tracking & Reporting • Robust system of tracking identified compliance issues through remediation and ability to report out status.
Formal Oversight • Periodic reporting to management, board of directors, and compliance committees increase visibility and oversight.
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
24
Communication & Training • Various
opportunities developed to connect with FDRs to educate, clarify and keep FDRs up to date on requirements. Medicare Exhibit
Compliance Trainings
• contract exhibit dedicated exclusively to Medicare regulatory and program req’mts
• quarterly trainings held for FDRs
• all vendors/providers contracting to provide admin/provider services for MA and Part D Medicare services required to sign
• trainings cover rotating compliance topics, updates to guidance or processes, FDR requirements and examples, Q&A sessions
FDR Newsletters
Business Owner Meetings
• monthly communications sent via email
• quarterly meetings held for internal business units contracting FDR services
• content includes information on various compliance topics, clarification, examples, updates to existing requirements
• topics include FDR compliance trends, systemic issues, corrective actions, and best practices
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
25
Monitoring & Auditing • Comprehensive tools and processes created to monitor and audit FDRs to confirm and test compliance/audit readiness.
FDR Monitoring Process
• All FDRs monitored at least annually • FDR Monitoring Report developed to solicit information and confirmation FDR is following requirements • FDRs receive report identifying any compliance issues • Issues tracked through remediation
FDR Compliance Audits
• Risk assessment performed annually to determine highest risk FDRs • High risk FDRs selected are audited to ensure requirements followed • In depth review of FDR policies and process reviewed to ensure compliance can be demonstrated • Issues tracked through remediation
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
26
Monitoring & Auditing Pop-‐up Box Sec9on Explana9on & Regulatory Reference Links Clickable links to Regulatory Guidance Links Clickable inks to addi9onal resources
Features of the FDR Monitoring Report
This secMon seeks confirmaMon that required federal exclusion checks (OIG & GSA) are properly performed. QuesMon 27 asks for confirmaMon that all FDR employees (supporMng WLP Medicare Programs) are checked against both the OIG an GSA federal exclusion lists prior to hire and monthly thereaaer as required. .. Regulatory Reference: Medicare Managed Care Manual Ch. 21 & PrescripMon Drug Benefit Manual Ch. 9 SecMon 60.6.8 The Act §1862(e)(1)(B), 42 C.F.R. §§ 422.503(b)(4) (vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), 423.752 (a)(6), 1001.1901
Answer Box Drop Down Op9ons
Pop-‐up Box Addi9onal Ques9on Informa9on
Tracking & Reporting • Combination of processes and tools assist in tracking FDR compliance and provide reporting of current status. • Results tool allows user to review FDR monitoring report using a series of check boxes; Report is generated detailing compliance issues or gaps, regulatory requirement and reference, corrective actions required, and due dates. • Tracking tool allows users to log FDR monitoring details, outstanding issues or gaps, and due dates; current compliance status is generated and tracked based on information entered. • FDR ‘Compliance Status’ developed as an indicator of current FDR compliance using a stop-light color scheme that changes according to amount of time an FDR has unresolved compliance gaps/issues. • Internal effectiveness metric developed to demonstrate proper oversight of FDRs to leadership and Board of Directors; applicable associates accountable to stay within the effectiveness benchmark of at least 90% of FDRs green • Detailed SharePoint site used to maintain tracking/reporting tools, detailed FDR information, archival of FDR compliance documentation. COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
28
Formal Oversight • Periodic reporting to various levels of management and designated compliance committees provide formal oversight. Periodic Reporting of FDR Status – Weekly reports sent to compliance management; compliance officer – Updates provided to FDR Compliance Committee – Quarterly reports sent to WellPoint Executive Leadership Team and Board of Directors
The FDR Compliance Committee – created to enhance the quality and effectiveness of FDR Oversight activities – meets quarterly to review current FDR compliance measures, discuss FDR compliance topics and updates, provide approval of substantive changes – membership incorporates both compliance and management across various business areas utilizing FDR services, as well as representatives of procurement, legal, and internal audit
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY
29
Questions?
Send an email to: Edward.Stubbers@anthem.com