top of page

CMS 2021 Audit & Enforcement Report

Updated: Aug 18, 2022

On June 7, 2022, The Centers for Medicare & Medicaid Services (CMS) announced the release of the 2021 Part C and Part D Program Audit and Enforcement Report. The report provides information on the program audit process, a current snapshot of the program audit landscape, a summary of the 2021 program audits, as well as CMS' enforcement actions.

One of the most notable takeaways from the report is the largely continued trend of improved scores across each of CMS’ audit protocols. In the table below, 2021 scores are reflected in the right-most column with comparison to prior audit years going back to 2013. Cells colored red denote an increase from the prior year whereas cells colored green denote a decrease from prior year scores:

While it’s important to note that CMS does not have a large number of sponsors in any given individual year, it’s equally important to note that within a three-year period the agency audits approximately 95% of all enrollments in the Medicare Advantage and Prescription Drug programs. Geographically, over the past three years, the largest percentage of these audited enrollments have been of plans that operate in North Dakota, South Dakota, Minnesota, New York, and North Carolina.

Additional highlights include CMS’ imposition of 16 civil monetary penalties (CMP) totaling just over one million. The average of $65,247 per CMP is the lowest since 2018 ($39,674) and represents a significant reduction over the 2019 audit year ($200,715). It’s significant to note that the largest number of referral types and enforcement actions taken in the CY21 program year were for One-Third Financial Audits, preceding Parts C and D Program Audits.

Interestingly, CMS included two new sections in this year’s audit and enforcement report because of stakeholder feedback - Program Audit Insights and 2022 Process Improvements and Insights from the Enforcement Process.

In the new Audit Insights section, although CMS does provide what they perceive to be vulnerabilities that sponsors are expected to assess carefully and routinely, it is unclear if these vulnerabilities were actually observed or found to be non-compliant within their 2021 audit season. Instead, CMS broadly encouraged plans to use their protocols, conduct mock audits, and work on identifying vulnerabilities for their organizations. Nevertheless, CMS’ cited examples included longstanding issue area that have previously dominated CMS guidance regarding best practices and common conditions such as:

  • Transitions to new systems or updates to legacy systems

  • Communication between systems that impact eligibility, enrollment, or claims

  • Recognizing when prior authorization or other utilization management standards have been satisfied

  • Providing appeal rights within denial notices

  • Triggering appropriate system flags (specific examples provided included alerting teams to aging coverage requests, or when health risk assessments or care plans require updating)

In the new Process Improvement section, CMS highlighted its issuance of the May 26 announcement which announced that the audit protocols they’d use to conduct the Medicare Part C and Part D Program Audits and collection of the Industry-Wide Part C Timeliness Monitoring Project were approved by the Office of Management and Budget, an effort on the part of CMS to represent a concerted effort to streamline and consolidate their data collection and reduce the overall burden on stakeholders. The CMS also highlighted their December 16, 2021 memorandum, “2022 Program Audit Updates”, which provided updates to the conditions of non-compliance classification definitions effective for 2022 program audits, which are as follows:

  • Immediate Corrective Action Required (ICAR) – Audit findings that inappropriately delay, restrict or limit an enrollee’s access to required medications and/or services are classified as ICARs. Generally, these are significant findings that require immediate action to mitigate impact on enrollees. The ICAR counts as two points in the audit scoring methodology.

  • Corrective Action Required (CAR) – Audit findings that do not have an immediate impact on the enrollee’s ability to request or receive medications and/or services but are still significant are classified as CARs. The CAR counts as one point in the audit scoring methodology.

  • Observation Requiring Corrective Action (ORCA) – Audit findings that are limited in scope, or otherwise mitigated, are classified as observations requiring corrective action. Generally, these findings are less significant, but require attention to ensure any enrollee impact is resolved and/or to prevent further non-compliance. Observations requiring corrective action do not count as points in the audit scoring methodology.

  • Observation – Audit findings that are insignificant are classified as observations. Generally, these findings represent an anomaly and do not require corrective action. Observations do not count as points in the audit scoring methodology.

In the audit and enforcement report, CMS added that the conditions resulting from Invalid Data Submissions (IDS) will still be cited in 2022 when sponsors are unable to produce an accurate or complete universe within three attempts.

Finally, CMS’ Lessons Learned for Sponsors section is perhaps the most practical takeaway for sponsors stemming from the report and includes CMS’ summary of observations made during their analysis of the 2021 enforcement referrals. These included the following lessons:

  • Medicare Parts C and D Plan-Directed Care: CMS reminded plans they can only hold their enrollees financially liable for applicable cost-sharing when a contracted provider refers an enrollee to a non-contracted provider for a service that is covered by the plan (also known as “plan-directed care”).

  • Monitoring Enrollee Overcharges: CMS recommended sponsors improve internal processes for monitoring and refunding overcharges to enrollees by contracted and non-contracted providers.

  • Financial Solvency and Contracting Requirements: CMS reminded plans they must be prepared financially to operate a MA-PD or PDP and that Federal requirements do not preempt state authority in the areas of licensure and fiscal solvency. Accordingly, when sponsors are out of compliance with these requirements and are subject to state actions that limit their ability to accept new enrollees as a result, they are also out of compliance with CMS’ requirement for contracted sponsors to accept new enrollments.

Unsure where to start? Our team has a strategic path forward. Contact us TODAY to get started.



bottom of page