CMS defers adoption of self-reporting requirement but solicits comments on development of such a requirement.
After much anticipation, the Centers for Medicare and Medicaid Services (CMS) published its final rule with comment period (Final Rule) addressing contracting requirements for both the Medicare Advantage and Medicare Prescription Drug Benefit Programs (Programs). The Final Rule not only affects Medicare Advantage Organizations and Part D Plan Sponsors (Plans), but also likely will affect providers’ compliance programs and providers’ contractual relationships with Plans.
CMS deferred action on the mandatory self-reporting requirement set out in the May 2007 proposed rule. In addition, CMS has not yet finalized a separate set of proposals that would substantially modify certain Medicare Part D regulations, including the requirements for reporting and accounting for prescription drug costs, administrative costs, and rebates and other remuneration from pharmaceutical manufacturers.
Key issues from the Final Rule, which was published on December 5, 2007, are described below. The Final Rule can be accessed through the Federal Register.
CMS initially proposed that Plans be required to self-report “potential fraud or misconduct.” CMS elected not to finalize this proposal, but indicated that it remains “committed to implementing mandatory self-reporting and [intends] to issue a proposed rule.”
To this end, CMS requested comments—due by February 4, 2008—on self-reporting “to inform [CMS’s] evaluative, analytic, and guidance efforts.” In particular, CMS posed the following questions:
- How should CMS define what kinds of offenses would constitute fraud and misconduct to be reported?
- Would an alternate to “fraud or misconduct” better describe the categories of offenses to be reported?
- What entities should be responsible for making such reports to CMS (e.g., Plans, first tier, downstream entities)?
- When should reports be made to CMS—upon initial discovery? After a reasonable inquiry?
- Through what avenue should information be reported to CMS—through MEDICs, CMS plan manager, CMS central office?
- What other considerations should CMS take into account in developing a mandatory self-reporting policy?
Compliance Plan Requirements Effective January 1, 2009, the regulations for both Programs will require that a Plan’s mandatory compliance program include “effective training and education” as well as “effective lines of communication” between the [Plan’s] compliance officer “and the [Plan’s] employees, managers, and directors, and the [Plan’s] first tier, downstream and related entities.” This requirement will apply to contracted providers as they are included within the definitions of first tier and downstream entities.
CMS clarified in the Final Rule that Plans need not actually train all of their contracted pharmacies, physicians, hospitals, and other providers and contractors, and instead may delegate certain compliance functions, such as training. However, CMS reiterated its position that Plans “maintain ultimate responsibility” for meeting the regulatory requirements for compliance programs, and suggested that if compliance training is delegated to first tier and downstream entities, including providers, Plans should obtain training logs, certifications or attestations that the downstream entity has complied with the training requirements.
Importantly, the new regulation marks a shift in CMS’s approach to compliance requirements for Medicare Advantage Organizations (MAOs). CMS promised to issue further compliance guidance in manual form, which likely will substantially raise the bar for MAOs’ compliance programs, including imposing expanded requirements for MAOs to monitor (and report on) the conduct of their contractors, including contracted providers. Such an approach would be consistent with CMS’s previously issued chapter on compliance in the Medicare Prescription Drug Benefit Manual.
Through the Final Rule, CMS also eliminated the eighth element for Part D Plan Sponsors’ compliance plans. This eighth element echoed a statutory requirement that a Part D Plan Sponsor’s compliance program include a program to combat fraud, waste and abuse by the Part D Plan Sponsor as well as by third parties. CMS concluded in the Final Rule that an effective compliance program would achieve the same goals for fighting fraud, waste and abuse, and therefore eliminated this duplicative requirement as a separate program component. In its stead, CMS modified the introductory clause to the compliance program regulations, which now require that Plans have “[a] compliance plan, which must include measures to detect, correct and prevent fraud, waste and abuse.”
Access to Records of Plans and Their Contractors
CMS amended the Part D regulations by expanding the list of mandatory contract provisions in Part D Plan Sponsors’ agreements with first tier, downstream and related entities. Specifically, the requirement that first tier, downstream and related entities be contractually obligated to produce pertinent records to CMS and other government entities has been enhanced to require that the contract specify how such records must be produced—to CMS directly or through the Part D Plan Sponsor. CMS stated that it has no preference as to how documents are made available to it or its designee, so long as contracts in effect January 1, 2009, specifically address how any such productions are carried out.
Furthermore, although CMS did not change the regulatory language itself, the agency reiterated its position, first set out in the proposed rule, that its authority to request records from Part D Plan Sponsors as well as their first tier, downstream and related entities includes records and other documents relating to Part D rebate and any other price concession information. This could include copies of rebate agreements between PBMs and pharmaceutical manufacturers as well as any other records reflecting discounts, price concessions and other similar arrangements that may affect payment to Part D Plan Sponsors. CMS acknowledged that such information would be subject to restrictions limiting use, including limitations on disclosure of certain payment data consistent with various provisions of the Social Security Act regarding the confidentiality of rebate and other payment information.
Imposition of Intermediate Sanctions and CMP
The Final Rule adopted certain procedural changes to the regulations for imposing intermediate sanctions and civil money penalties (CMPs).
CMS eliminated the existing, informal reconsideration process for decisions to impose intermediate sanctions. In its place, CMS allows Plans an opportunity “to present information…that may affect [CMS’s] decision to impose an intermediate sanction” in the form of a rebuttal statement.
The Final Rule also clarified the responsibilities of CMS and the Office of the Inspector General (OIG) with regard to the imposition of intermediate sanctions and CMPs based on the type of Plan violation. CMS retains the authority to impose CMPs (in addition to other intermediate sanctions, including suspension of marketing, enrollment and payment) for certain contract determinations, such as the “carrying out of [the] contract with CMS in a manner that is inconsistent with the effective and efficient implementation of the [Program].” The OIG, in turn, “has the sole authority to impose CMPs for any determinations concerning false, fraudulent or abuse activities,” including submission of false data.
CMS adopted factors that it will consider in determining the amount of a penalty, such as the nature of the conduct, the degree of culpability and the history of prior offenses by the Plan or its principals.
Other changes include imposing the burden of proof on a Plan that is appealing an adverse contract determination; establishment of procedures for appealing CMP, intermediate sanction and contract termination decisions; and revisions to the role of the Administrator in the review of hearing decisions. These changes take effect January 4, 2008.
Contract Renewal Procedures
As expected, CMS revised the process of renewing contracts, so that contract renewal is automatic unless CMS or the Plan decides not to renew the contract. CMS will only provide notice to a Plan if it is non-renewing the contract, and the deadline for CMS to provide this notice is now August 1, rather than May 1.
Consistent with the adoption of automatically renewable, multi-year contracts, CMS has taken the position that “failure to substantially carry out a contract term necessarily would apply to the entire term of the contract…[Plan] contracts are evergreen, so the existing contract is not just the current calendar year’s contract, but is a continuing contract that existed during prior calendar years,” assuming the Plan participated in the Programs in prior calendar years. Thus, Plans may be subject to corrective action plans (CAPs), as described below, and other contract determinations for issues that arose in previous benefit years.
With the Final Rule, CMS adopted a structured process for using CAPs for contract determinations, terminations and non-renewal. Specifically, CMS set out a process for Plans to submit a CAP to CMS for review and approval. Once accepted by CMS, a CAP would have to be implemented according to a pre-determined schedule, and failure to do so would result in CMS issuing a notice of termination or non-renewal. Importantly, once CMS issues a notice of non-renewal, the Plan would no longer have an opportunity to submit a CAP.