Will Auditors Abide by CMS Rules?

CMS issued the Program Audit Process that sets forth rules auditors must abide by in 2023.

The 2023 Program Audit Process Overview from the Centers for Medicare & Medicaid Services (CMS) was released recently. The report is published by the Division of Audit Operations. CMS will send engagement letters to initiate routine audits beginning February through July.

Meanwhile, engagement letters for ad hoc audits may be sent at any time throughout the year. The program areas for the 2023 audits include the following:

• CDAG: Part D Coverage Determinations, Appeals, and Grievances;
• CPE: Compliance Program Effectiveness;
• FA: Part D Formulary and Benefit Administration;
• MMP-SARAG: Medicare-Medicaid Plan Service Authorization Requests, Appeals, and Grievances;
• MMPCC: Medicare-Medicaid Plan Care Coordination; 
• ODAG: Part C Organization Determinations, Appeals, and Grievances; and
• SNPCC: Special Needs Plans Care Coordination.

The Program Audit Process document is only 13 pages. Yet it is supposed to set forth the rules that the auditors must abide by in 2023. My question is this – what if they don’t? What if the auditors fail to follow proper procedures?

For example, similarly to last year, an audit consists of four phases.

1. Audit engagement and universe submission;
2. Audit field work;
3. Audit reporting; and
4. Audit validation and closeout.

I would like to add another phase: appeal.

According to the report, “the Audit Engagement and Universe Submission (the first stage) is a six-week period prior to the field work portion of the audit. During this phase, a sponsoring organization is notified that it has been selected for a program audit and is required to submit the requested data, which is outlined in the respective Program Audit Protocol and Data Request document.”

The sponsoring organization? CMS is referring to the provider getting audited as a “sponsoring organization.” Why does CMS do this? Is it because after the audit, the “sponsoring organization” will be paying recoupments?

It is interesting that the first phase, “Audit Engagement and Universe Submission,” lasts six weeks. At this point, I want to know, does the provider know that the facility has been targeted for an audit?

As an attorney, I get to see the process in the aftermath. Folks call me in distress because they got the results of an audit and disagree. I have never had the opportunity to be involved from the get-go. So, if any of you receive a notice of an audit, please call me. I won’t charge you. I just would love the experience of walking through an audit from the beginning. I think it would make me better at my job.

In other news, as you may know, CMS may issue civil monetary penalties to providers for alleged noncompliance. Other penalties exist as well, which may or may not be worse than civil penalties. On Jan. 23, CMS published a correction that Total Long term Care, Inc. d/b/a InnovAge Colorado PACE (InnovAge CO) corrected its violations. In 2021, CMS had suspended its ability to re-enroll.

Another facility was made subject to pre-payment review, which means that the facility must submit claims to an auditor prior to receiving reimbursements. Pre-payment review is probably the worst penalty in existence. A client of mine was told yesterday that pre-payment review is imminent. The only recourse is a federal or state injunction staying the suspension of reimbursements. You cannot appeal being placed on pre-payment review. But you do have a chance to stay the suspension.

The suspension makes no sense to me. It’s as if the government is saying that you are guilty before invoking an ability to claim innocence.