Medicare Part D Compliance: A Day of Reckoning Approaches

Rita Isnar | February 2011

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) [1] established the Medicare Part D outpatient prescription drug benefit, which took effect on January 1, 2006. The magnitude of expenditures and impact of this benefit on beneficiaries, from both health and financial perspectives, have made it a priority of Medicare to ensure the Part D program operates efficiently and effectively and is protected from fraud and abuse.

This includes requirements for implementing Medicare Part D compliance programs that include detection, correction, and prevention of fraud, waste, and abuse. Part D prescription drug coverage is provided by private organizations known as prescription drug plan (PDP) sponsors.

Despite the significance of the Medicare Prescription Drug, Improvement, and Modernization Act and the Part D benefit, few PDPs have met all of CMS’s requirements for addressing fraud detection, correction, and prevention by developing an effective compliance program. The Centers for Medicare and Medicaid Services (CMS) is responsible for oversight and implementation of safeguards to protect the integrity of the Part D benefit. However, the oversight of Part D eligibility programs continues to evolve slowly.

An effective compliance plan helps PDPs protect the integrity of Medicare funds by preventing fraud, waste, and abuse.  Since 2005, federal regulations [2] have required PDPs to have compliance plans in place. Chapter 9 of CMS’s Prescription Drug Benefit Manual, provides guidance on the elements outlined in regulatory requirements along with additional requirements and recommendations. [3]

The OIG has also raised concerns about the non-compliance of PDPs of many requirements outlined in the Chapter 9 manual. One 2006 evaluation [4]  issued by the OIG found that while all PDP sponsors had some form of compliance plan established, the PDP sponsors had not fully addressed all of the requirements CMS specified in its guidance documents. Certain PDP sponsors compliance plans contain only the broad outlines of a fraud and abuse plan.

Although many of the Part D safeguard activities are to be conducted by MEDICs, for most of 2006, CMS had contracted with only one functioning MEDIC. MEDICs are responsible for many Part D oversight activities which may include analyzing claims and other data, investigating complaints, and reviewing the fraud and abuse components of PDP sponsors’ compliance plans.

In October of 2008, the DHHS, OIG issued a second evaluation [5] indicating that CMS oversight of PDP sponsors has been lacking. The OIG recommended that CMS should conduct routine audits of PDP sponsors’ compliance programs to ensure that they meet all applicable Federal requirements. Specifically, the audits should cover all compliance plan requirements as outlined in the Code of Federal regulations and the Chapter 9 manual.

Lastly, the GAO recently published a report issued on March 3, 2010 [6] indicating that CMS had not conducted audits as it had detailed in its 2005 Part D Oversight Strategy to ensure that sponsors had implemented fraud and abuse program plans. The GAO indicated that in February 2010, “CMS officials told GAO the agency had completed desk audits (reviews of requested documents) in 2008 and 2009 and was beginning to implement an expanded oversight strategy.”

So why the double standard? Why are hospitals and other providers so highly scrutinized when Medicare Part D compliance benefits are ripe for enforcement activities? The answer is…not for long.

On April 15, 2010, CMS issued a final rule [7] notice in an effort to increase its oversight efforts and ensure that sponsors have effective compliance programs in place. As part of the conditions necessary to contract as a Part D plan sponsor, any entity seeking to contract as a Part D plan sponsor must have administrative and management arrangements in place. [8]

Now, a PDP sponsor must adopt and implement an effective compliance program, which must include measures that prevent, detect, and correct noncompliance with CMS’ program requirements as well as measures that prevent, detect, and correct fraud, waste, and abuse. The compliance program coverage must, at a minimum, include the following ‘standard’ core requirements.

  • Publish, establish and circulate written policies, procedures, and standards of conduct.
  • The designation of a compliance officer and an executive level compliance committee who report directly and are accountable to the Part D plan sponsor’s chief executive or other senior management.
  • Each Part D plan sponsor must establish, implement and provide effective training and education for its employees including, the chief executive and senior administrators or managers; governing body members; and first tier, downstream, and related entities.
  • Establishment and implementation of effective lines of communication, ensuring confidentiality, between the compliance officer, members of the compliance committee, the Part D plan sponsor’s employees, managers and governing body, and the Part D plan sponsor’s first tier, downstream, and related entities.
  • Sponsors must have enforcement of standards through well publicized disciplinary guidelinesSuch well-publicized disciplinary standards must be implemented through formalized policies and procedures which encourage good faith participation in the compliance program by all affected individuals.
  • Sponsors have broad responsibilities regarding monitoring and auditing.  The establishment and implementation of an effective system for routine monitoring and identification of compliance risks is critical. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the Part D plan sponsors, including first tier entities’, compliance with CMS requirements and the overall effectiveness of the compliance program.
  • Establishment and implementation of procedures and a system for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of self-evaluations and audits, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensure ongoing compliance with CMS requirements.

Note that Chapter 9 provides significant guidance and detail for each of these components. It notes that a PDP plan sponsor should have a process in place “to refer potential violations of applicable Federal and state criminal, civil and administrative laws, rules and regulations to the MEDIC and/or law enforcement for further investigation within a reasonable period (but not more than 60 days after a determination that a violation may have occurred).”

Further, the PDP plan sponsor should have procedures in place for responding timely to data requests by CMS, Medicare Drug Integrity Contractors or MEDICs, and law enforcement, or their designees. [9]

The Final Guidance emphasizes the importance of self-reporting. A Sponsor with a Special Investigation Unit should be made responsible for investigating potentially fraudulent activity and should refer any determined or suspected fraud, waste, or abuse to the appropriate MEDIC within sixty days. However, CMS does not expect Sponsors to pursue fraudulent activities in the same way as law enforcement.

Further, Chapter 9 indicates that Sponsors should self-report fraud at the plan level as well as that at the first tier, downstream, or related entity levels. [10]

Part D plan sponsors must be prepared to undergo an audit by CMS or any person or organization designated by CMS. This means being prepared to undergo inspection or evaluation of the quality, appropriateness, and timeliness of services performed under the Part D plan sponsor’s contract. Part D sponsors, much like other health care providers should have a CMS audit preparedness plan.

Not only must Part D plan sponsors be prepared for an audit and inspection of any books, contracts, and records, healthcare entities should be prepared to drive the audit process. This includes preparing appropriate and highly organized documentation demanding less of government auditors.

However, before even being apple to prepare for pending CMS audits and evaluations, PDP plan sponsors must still establish effective compliance programs. Achievement in a Part D prescription drug plan (PDP) compliance program assures a disciplined approach to compliance with the applicable laws and regulations and to the implementation of an effective program to detect, correct, and prevent fraud, abuse, and waste.

An effective PDP sponsor compliance program will make effective use of the organization’s existing compliance and fraud and abuse programs. Establishing an effective compliance program in light of the “compliance day of reckoning” and looming CMS enforcement initiatives should be the priority of any Part D sponsor.

1. Public Law 108-173

2. 42 CFR 423.504(b)(4)(vi)

3. CMS, “Prescription Drug Benefit Manual,” ch. 9—Part D Program to Control Fraud, Waste and Abuse (April 25, 2006). Available online at

4. Prescription Drug Plan Sponsors’ Compliance Plans, December 2006, OEI-03-06-00100.

5. Oversight of Prescriptions Drug Plan Sponsors’ Compliance Plans, October 2008, OEI-03-08-00230.

6.    Medicare Part D, CMS Oversight of Part D Sponsor’s Fraud and Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion.

7.    75 Fed. Reg. 19678 (April 15, 2010).

8.  42 CFR 423.504(b)(4)(vi).

9. CMS, “Prescription Drug Benefit Manual,” ch. 9—Part D Program to Control Fraud, Waste and Abuse Sec. (April 25, 2006). Available online at

10. CMS, “Prescription Drug Benefit Manual,” ch. 9—Part D Program to Control Fraud, Waste and Abuse Sec. 20 (April 25, 2006). Available online at

Chapter 9 indicates that for many Sponsors, traditional fraud, waste and abuse programs have been aimed at the conduct of third parties submitting claims to the Sponsor and are often implemented by Special Investigation Units (SIUs), whereas their compliance programs typically encompass the organization’s efforts to monitor itself and its subcontractors with respect to contract regulations and compliance with applicable laws and regulations.

About the Author

Rita Isnar joined Strategic Management in 2003 and is responsible for client fulfillment activities. Her in-depth knowledge and compliance experience includes managed care, Medicare Parts C & D compliance program development and implementation, government enforcement initiatives, quality of care issues and regulatory compliance.