Health Plan Audits: Access into Systems

access into systems

Access into systems and audits:

Health plans can gain access into the company’s system.  This will depend on what is in the company’s contract/Agreement with the health plan.  If the health plan has access into the company’s system:

  • The health plan may use their access to conduct a ‘desk audit,’ without written notification to the company, if is outlined in the contract
  • They have the ability to identify errors/anomalies, which can lead to an official audit
    • An official audit would be initiated with a notice to the company (usually a letter or email to someone of authority at the company.  This is customarily the head of the department being audited and the compliance official of the company.  (The compliance official is usually the point of contact for all health plan audits.)
    • If a health plan finds wrong-doing (e.g., issues with False Claims Act, Anti-kickback schemes) they have a responsibility to report the concern to CMS, which could open up different audit/enforcement avenues by the government

Health plan and Medicare Advantage Program and/or Data Validation audits (as discussed in POST #2) can be conducted via ‘webinar’ – a ‘webinar’ is a live audit of a system/process that the company uses to conduct business… This is conducted via Zoom or another web-conferencing platform.  Health plans will select a list of accounts to review during the webinar and the list is generally sent 2 hours before the audit starts.

Once the webinar starts, an individual at the company will share their screen and walk the health plan auditor step by step through the system module which is being audited.  The health plan is verifying and validating that the work is being done according to CMS/health plan guidelines, policy and procedures, and universe submitted by the company.  Health plans can also conduct on-site (in-person) audits and follow the same process as the webinar audits.

Government agencies (e.g., U.S. Department of Health and Human Services (DHHS), the Office of Inspector General (OIG), and/or their designees) can demand direct access into a company’s systems/books/records.  Providers/the company must maintain their records for ten (10) years so that the health plan or government agency can inspect, evaluate, or audit the information.  The government’s right to access a company’s system survives the termination of the company’s agreement with the health plan and even the health plans agreement with CMS.  Typically, the Medicare Advantage/Health Plan Agreement includes a section which indicates that the company will provide CMS access to information when requested.  The request could be issued in writing or by CMS accessing the company’s premises or physical facilities.

If wrong-doing is identified, based on the audits/evaluation of information, the company and company officials could face certain penalties and risks.  

Look for my final post on this topic, Health Plan Audits: Penalties & Risks for more highlights.