Overview of Compliance Element #5:
Enforcing Standards: Consequences and Incentives
As we continue our review of the 7 Elements of an Effective Compliance Program, we now review Element 5: Enforcing Standards: Consequences and Incentives.
For a compliance program to be effective, we must establish appropriate consequences for instances of non-compliance and incentives for compliance. Both are important to enforce compliance.
To deter non-compliant conduct, consequences of non-compliance are applied appropriately and consistently. At HPSJ, failure to complete mandatory compliance trainings by the due date result in an unsatisfactory rating on the employee’s annual performance evaluation and make the employee ineligible for an incentive pay. That’s an example of an appropriate and consistent consequence.
We also use incentives to encourage participation in the compliance program. An example of such incentives is company-wide recognition with a Values Award at an AllStaff Meeting for maintaining compliance. Three of our five values correlate to compliance:
• ACCOUNTABILITY: We are responsible to others and accept responsibility for our actions and their outcomes.
• INTEGRITY: We are respectful, trustworthy, and honest in our communications and actions.
• STEWARDSHIP: We are judicious and prudent in the use of the resources with which we are entrusted.
You may not always see consequences or incentives when they occur – it may not be possible to publicly recognize individuals who raise concerns that result in the mitigation of harm or risk, especially when people wish to remain anonymous. However, we know that enforcing standards with consequences and incentives is key to creating an effective compliance program.
Regulatory Affairs & Communication (RAC)
Do you have a question for Compliance? To submit an inquiry, on SharePoint go to Team Sites > Compliance > Requests > Submit an Inquiry or simply use this link: check it out here.
What’s going on at the State and Federal levels? To support you in your role and ensure timely awareness of changes to regulatory and contractual requirements, RAC attends regulatory calls (DHCS Managed Care Plan Call - MCPC) and other regulatory meetings/calls where key regulatory information is shared.
DHCS hosted a webinar on “Subacute Care”
On October 7th, DHCS hosted a webinar on Subacute Care, providing an indepth overview of various aspects of this specialized care. The webinar covered the differences in levels of care, the services these facilities offer, and the specialized equipment and treatments involved. Subacute Care is divided into two types: Adult Subacute Care and Pediatric Subacute Care. To provide comprehensive insights, the meeting featured a panel discussion representing both types and included a guest speaker from a Pediatric Subacute Care facility. For more details, please refer to Spotlight on Subacute Care.
DHCS hosted a webinar on “Skilled Nursing Facility Accountability Sanctions Program”
On October 21st, DHCS hosted a webinar on the Skilled Nursing Facility Accountability Sanctions Program. This program imposes monetary sanctions on facilities that fail to meet certain quality or equity measures on a per Medi-Cal bed day basis. This webinar highlighted key policy changes for MY 2025, including the discontinuation of the Racial and Ethnic Data Completeness measure and the introduction of a new measure: Percent of residents who lose too much weight. For more details, please refer to Skilled Nursing Facility Accountability Sanctions Program Webinar 20241021.
RAC maintains material from those weekly calls. Check out previous meetings HERE.
All Plan Letters (APL)
DHCS and DMHC release APLs to communicate changes in Federal or State policy or procedure and provide instruction to MCPs on implementing these changes. RAC analyzes the APLs to ensure compliance with the requirements and to meet timely filing. Draft APLs (denoted by “XXX” indicating that a policy number has not been assigned by both regulators) are issued by both DHCS and DMHC on a regular basis to solicit feedback from MCPs before they are officially published and become effective. During this period, MCPs have the
opportunity to provide feedback or concerns to DHCS and DMHC on upcoming APLs. Here are the APLs that were recently released:
A. DHCS Regulatory Notices
APL 24-XXX Skilled Nursing Facility Workforce Quality Incentive Program
Issued Date: September 10, 2024
Summary: This draft APL provides Medi-Cal managed care plans (MCPs) with instructions on the payment and data sharing process required for the Skilled Nursing Facility (SNF) Workforce and Quality Incentive Program (WQIP) for Rating Periods between January 1, 2023, and December 31, 2026.
B. DMHC Regulatory Notices
APL 24-019 – Amendments to Rule 1300.67.2.2 and the Incorporated Annual Network Submission Instruction Manual and Annual Network
Report Forms for Reporting Year 2025
Issued Date: October 30th, 2024
Summary: This APL was issued to inform health plans of new amendments to 28 CCR §1300.67.2.2 and the incorporated Annual Network Submission
Instruction Manual and Annual Network Report Forms for the reporting year (RY) 2025 Annual Network Report submission.
NEW All Plan Letter (APL) Policy Filing Process
We've got some exciting changes to our APL policy filing process that you'll want to know about.
All policies must complete the policy workflow before submission. This means that policy owners revising their policies for an APL will need to make sure their department executive approves the policy before it is submitted to the Compliance policy team. Upon receipt, Compliance will conduct a review before it is submitted to our CEO for approval. Once all approvals have been obtained, Compliance will submit the policy to DHCS/DMHC if applicable.
RESPONSIBLE PERSON
is not
Regulatory Reports
Under our contract with DHCS and in compliance with our Knox Keene license (DMHC), we must routinely submit reports demonstrating compliance and performance. Below is a list of reports due for submission in the next few weeks. The table includes a hyperlink to the report and the accountable Director and Executive for the report. Check out the list to find out which ones are in your department. Click on the report title for more information.
Report Title
Provider Directory File and Use
2024-11
ECM/JSON 2024-11
CBAS Waiver 2024-10
274 File 2024-10
MCPDIP 2024-10
Data Certification 2024-10
Post Payment Recovery 2024-10
SRF 2024-10
PIN 2024-10
ECM/CS Quarterly Implementation
Monitoring Q3 2024
Encounter Data 2024-10
PHMS(Population Health Management Strategy)
LTC-SNF 2024-Q3
Consolidated Billing 2024-10
NEMT/NMT 2024-08
Accountable Director
Accountable Executive
Ana Aranda Liz Le
Clarence Rao
Victoria Worthy
Pamela Lee Tracy Hitzeman
Clarence Rao Victoria Worthy
Clarence Rao Victoria Worthy
Tamara Hayes Sunny Cooper
Christopher Navarro
Michelle Tetreault
Clarence Rao Victoria Worthy
Ana Aranda Liz Le
Niyati Reddy Liz Le
Clarence Rao Victoria Worthy
Kathleen Daziel Lakshmi Dhanvanthari
Johnathan Yeh Lakshmi Dhanvanthari
Clarence Rao Victoria Worthy
Dale Standfill
Liz Le
Community Health Worker Q3 2024 Niyati Reddy Liz Le
Written Summary QIHEC Q3 2024 Tracy Hitzeman Lakshmi Dhanvanthari
Claims Settlement Report Q4 2024 Aimee Griffin Michelle Tetrault
Provider Complaints
Provider complaints come to our Health Plan in different forms (e.g. Direct call to us or submission of dispute to DMHC). While our Provider Services and Claims team address those coming into us, Compliance is the point of contact for those coming through DMHC. From January 2024 through November 4th, 2024, we received 57 requests (22 Provider Complaints and 35 additional information requests), disputing 50 claims. In addition, each complaint may contain multiple issues that require a response.
Compliance coordinates a cross-functional group to review each complaint received by us. This group investigates the cases (from the original request to claim processing and dispute resolution) and prepares a comprehensive response to the DMHC about the provider’s concerns and the actions taken by us. These tables outline the status:
Table 1: Provider Complaints Received from DMHC as of November 4th, 2024.
Table 2: Provider Complaint Closures by Decision as of November 4th,2024:
Regulatory Audits
DHCS 2024 Routine Medical Survey (Audit)
The DHCS recently conducted a virtual onsite survey of HPSJ, covering the review period from August 1, 2023, to July 31, 2024. This survey aimed to ensure compliance with regulatory standards and quality care. Here's a summary of the process:
Preparation:
• We received notice of the survey on July 31, 2024.
• We submitted over 1,000 pre-onsite documents, including case and claims files, program documents, policies, procedures, and various reports.
• We conducted 28 mock audits with internal staff in preparation for the virtual onsite visit.
Virtual Onsite Visit:
• DHCS reviewers conducted virtual onsite sessions from October 28, 2024, to November 7, 2024, interviewing staff, and reviewing documentation.
• DHCS conducted a total 19 audit interview sessions and one entrance and one closing conferences.
• The closing session on November 7, 2024, noted 9 items of concern to be included in the preliminary report.
Identified Concerns:
Despite our best efforts, a few areas were highlighted for improvement:
1. Prior authorization requirements were incorrectly applied to preventive services.
2. Prior authorization requirements for cancer biomarker testing for advanced or metastatic stage 3 or 4 cancer were not correctly applied.
3. Notifications to members regarding prior authorization requests were not always provided within required timeframes due to delays in obtaining out of network provider agreements.
4. The appropriate fully translated Notice of Action (NOA) template was not used to inform members of prior authorization denials.
5. The appeal process did not review Medi-Cal provider manual criteria for pharmaceutical requests.
6. The imposition of corrective action plans on one delegate was not reported to DHCS contract manager within 3 working days.
7. Prior authorization requirements were incorrectly applied to family planning services.
8. Not all clean claims were paid within 30 days of receipt.
9. Potential quality issues were not investigated expeditiously, impacting timely action to improve care quality.
Evaluation:
• Based on the information collected, auditors will assess our compliance with contractual and regulatory requirements, DHCS auditors will issue a preliminary report to us. It is currently projected to be issued to us in late January 2025.
Exit Conference & Rebuttal Period:
• Preliminary report estimated release: January 29, 2025. We will have 15 calendar days to rebut the findings if applicable.
• The final report will be issued in February 2025. We will have 15 calendar days to respond before the final report is posted on DHCS’ website.
• The formal Corrective Action Plan (CAP) request will be sent to us separately from the DHCS Audit Monitoring Unit.
Follow-Up:
• DHCS may conduct follow-up reviews to ensure compliance.
DMHC 2025 Follow up Survey
DMHC is conducting a follow-up survey to ensure that we have addressed the deficiencies identified in the 2021 DMHC Routine Survey. Compliance has been working with business owners to correct the deficiencies identified since we received the preliminary and subsequent final reports from DMHC in late 2023 and early 2024.
Documents are due to Compliance by November 22, 2024. The audit review period is March 1 through September 30, 2024. Here are the deficiencies the Department is reviewing during the follow-up survey:
1. Adequate Consideration and Rectification of Grievances.
2. Acknowledgement Letters Contact Person.
3. Published DMHC Statement.
4. Grievance Resolution Letter does not include description of Clinical Criteria
5. Grievance Resolution Letter does not include IMR Form.
6. For Expedited Grievances, Members are not informed they may contract DMHC.
7. Online Grievance Form does not include the Regulatory Paragraph.
8. Delegate oversight of grievances and appeals.
9. Process for updating Provider Directory does not meet requirements.
10. UM NOA does not include Regulatory Paragraph in the required format
11. Process for the denial of experimental care.
12. UM NOA denial decision is not clear
13. Annual Notification to request authorizations for post-stabilization care.
14. Timely notifications of decision on authorization request for post stabilization.
15. Rx NOA denial decision is not clear.
16. Pharmacy Formulary all required information.
17. Delegate oversight of prescription drug coverage
18. IMR decisions are not communicated timely and in writing.
19. Summary of UM process on public facing website
20. Provider Directory does not include Disclosure Notices.
21. 24-hr access to request authorizations for post-stabilization care.
Staff interviews will be conducted beginning February 24, 2025. The interviews are estimated to last less than one week.
Program Integrity Unit (PIU)
The PIU investigates and reports all potential fraud, waste or abuse (FWA) and HIPAA violations, along with conducting exclusion monitoring for Third Parties. Here are some recent items we have been working on:
Privacy & Security Incidents
Privacy Tip #1 – Remember to lock your computer, anytime you leave your workstation.
Privacy Tip #2 - Remember to report all privacy incidents to the PIU Team by submitting a privacy incident report at this link, within 24 hours of discovering the privacy incident.
Below is a summary of the types of HIPAA incidents that have recently been investigated. As you look through these, think about how you can prevent these incidents from recurring, and make sure to report them when they occur. We had 20 HIPAA incidents that occurred between October 1 – October 31, 2024. Four of these were reportable to DHCS Below are some reminders for your reference purposes:
1. A Provider mistakenly handed a member a document containing the PHI of other patients.
Reminder: Though this incident was committed by the provider, it is a good practice to remind ourselves to double check and make sure the document is given to the correct recipient.
2. A member’s identity was stolen.
Reminder: If a member suspects their identity was stolen, we should issue the member a new member ID and advise them to file a police report if needed.
3. Our staff sent member PHI to the incorrect Provider.
Reminder: Before faxing a document, we should always double-check to ensure that we are sending PHI to the correct recipient.
Fraud, Waste, and Abuse (FWA)
The PIU is on constant alert, managing potential FWA incidents at every stage of investigation.
Recent Updates
: In the last month, we received three (3) leads One was converted into an active case, while the others were closed. Our team is actively investigating 19 ongoing cases.
Did You Know?
Why It Matters
The funds we manage come from taxpayers, and it’s our duty to use them responsibly. Preventing fraud, waste, and abuse isn’t just about compliance – it’s about safeguarding resources that support our community’s health and well-being.
Your Role
If you notice a suspicious activity or have concerns about possible FWA, don’t hesitate to report it. Together, we can ensure our resources are used efficiently and ethically. Stay vigilant. Stay committed.
Provider Exclusion Monitoring
MCOs must have appropriate health information systems and abide by data, information and documentation reporting requirements. 42 CFR Parts 438.242 and 438.604; MCOs and their subcontractors must keep records for at least 10 years. 42 CFR Part 438.3(u); MCO subcontractor relationships and delegation obligations are delineated, including agreements by others to comply with all applicable Medicaid laws, regulations, guidance and contract provisions. 42 CFR Part 438.230.
We are obligated to verify the eligibility of our Third Parties for their participation in the Medi-Cal Program. In accordance with state and federal regulations, our PIU team assesses eligibility no less than monthly. This is performed with a ThirdParty vendor that checks an inventory of our providers against several sources (e.g. List of Suspended and Ineligible Providers, U.S. Department of Health and Human Services, Office of Inspector General, System of Award Management, SSA Death Master file, and more). In addition to the monthly monitoring, exclusion checks are completed throughout the month ahead of a new Letter of Agreement 1 (LOA) being established with an out of network provider. PIU received 85 requests during this reporting period. Zero (0) restrictions were found. 1Compliance -
Audit & Oversight (A&O)
Risk Assessment Purpose
Imagine buying a used car. You want to know all you can about it – will it pass emissions? Has it been in an accident? Has regular maintenance been performed? Do all the functions work as they should? You want to check those things out as thoroughly as possible BEFORE making your purchase. And then, once you have the car, you want to make sure it stays in top working condition, so you perform regular checks (fluid levels, tire pressures) and make sure to go in for a check-up if something goes wrong (like the engine light coming on).
The concept of car buying, and maintenance is a useful comparison to Compliance Risk Assessments. A Risk Assessment may be conducted prior to engaging with a Third-Party entity (an example of “inherent risk”), on a regular basis once they are engaged, or when an event occurs with them or with internal operations that requires additional attention (this event-based scenario is known as “incident risk”).
To perform a Risk Assessment, the Compliance Division reviews a variety of documentation for the entity or area being assessed. This documentation may include contracts, policies, incident reports (e.g., compliance reports, investigation outcomes, audit and monitoring results, operational performance reports). Compliance compares this documentation to regulatory requirements, HPSJ standards, and other pertinent guidelines (for example, National Committee for Quality Assurance (NCQA) accreditation standards) to evaluate potential risks and ensure alignment with the regulations and guidelines.
Once these initial reviews are complete, the entity or area is assigned a risk level (High, Moderate, Low). These risk level assignments then result in an outline of all evaluations based on risk level: also known as the Risk Matrix.