Many industries have compliance rules and regulations to meet and follow, but few would argue that healthcare is one of the most stringent. Within the US Department of Health and Human Services (HHS), the Centers for Medicare & Medicaid Services (CMS) is responsible for overseeing and administering various healthcare programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).
Part of that job is to create guidance on rules, regulations, and standards established by the CMS to ensure healthcare providers and organizations comply with federal laws related to healthcare delivery, reimbursement, and patient care.
CMS Compliance Requirements
CMS compliance requirements are extensive, covering a wide range of topics:
- Billing and coding – healthcare providers must accurately code and bill for services rendered to ensure proper reimbursement and prevent fraud and abuse.
- Quality reporting – providers are required to report on various quality measures to assess the quality of care provided to patients.
- Privacy and security – Compliance with HIPAA (Health Insurance Portability and Accountability Act) regulations to protect patient privacy and data security is crucial.
- Fraud and abuse prevention – Providers must have effective compliance programs to detect and prevent fraud, waste, and abuse in healthcare services.
- Accreditation and certification – Many healthcare facilities must meet specific accreditation and certification requirements to participate in CMS programs.
- Electronic Health Records (EHR) use – CMS provides guidelines for the meaningful use of electronic health records to improve patient care and data exchange.
This is just the beginning. CMS guidance requires Medicare Advantage Plans to independently audit their compliance program’s effectiveness. These audits should occur once per year.
CMS Compliance Audits
Compliance with CMS requirements is critical to healthcare delivery, particularly for organizations that participate in Medicare, Medicaid, or CHIP programs. Compliance audits ensure that healthcare providers and organizations are adhering to CMS guidance. These audits play a vital role in verifying providers meet the necessary standards and regulations.
Compliance audits aren’t a “one size fits all” process. Instead, they’re designed to look at different parts of the overall process. They can include:
- Program integrity audits – detecting and preventing fraud, waste, and abuse in healthcare services and billing.
- Quality reporting audits – evaluating compliance with quality reporting requirements, which assesses the quality of patient care.
- HIPAA compliance audits – ensuring compliance with HIPAA regulations to protect patient privacy and data security.
- Accreditation and certification audits – verifying healthcare facilities meet specific accreditation and certification standards.
CMS compliance audits change each year based on new regulations. They plan routine and focused audits to verify compliance with these new regulations. For 2024, this includes implementing utilization management in the Medicare Advantage program and new clinical coverage requirements.
CMS Compliance Audit Process
Not everyone will face CMS compliance audits each year. Healthcare providers and organizations may be selected based on various factors, including:
- Risk assessment – CMS conducts risk assessments to identify providers with a higher likelihood of non-compliance or fraudulent activities.
- Random selection – Some audits may be randomly assigned to providers to ensure a broad and unbiased assessment.
- Complaints and whistleblower reports – Complaints from patients, employees, or whistleblowers can trigger audits.
If selected for an audit, your organization will receive a formal notification from CMS outlining the audit objectives, including a list of requested documentation. It’s important to respond promptly and provide requested documentation to demonstrate compliance.
The audit process typically involves a review of documentation, interviews with staff, and on-site visits, as deemed necessary. The complexity depends on the type and scope of the audit. With this information, auditors will assess if you follow CMS guidance and regulations.
After the audit is complete, CMS will provide findings and recommendations. Your organization must take corrective actions to address deficiencies and ensure future compliance if any compliance issues are identified.
Disagree with the findings? You have the right to appeal audit findings you believe are incorrect or unjust and present additional evidence and arguments to challenge the conclusions.
This isn’t a “one and done” process. Maintaining ongoing compliance with CMS requirements is crucial. Whether you’re audited or not, you should continually monitor practices, update policies and procedures as needed, and stay informed about CMS updates and guidance.
Training your staff is key. It’s the best way to proactively address compliance issues, provide high-quality care, protect patient rights, and maintain eligibility for CMS programs.