New CMS Requirements – Data Validation Audit

New CMS Requirements – Data Validation Audit


Centers for Medicare and Medicaid Services (CMS) is shifting its health plan oversight strategy for Medicare Advantage Organizations (MAOs) and Part D sponsors to focus on more proactive data monitoring. Beginning in 2011 for calendar-year 2010 data, MAOs and Part D plans will be required, on an annual basis, to contract with qualified independent third parties to conduct defined audits on the validity and reliability of data used to generate CMS-mandated reporting measures.

In its November 23, 2009, memo announcing this new requirement, CMS stated, “…We continue to believe that only an independent data validation audit conducted by an external entity under contract to the MAO or Part D plan sponsoring organization would ensure that reported data used to develop plan performance measures are credible to other stakeholders, and that information used to respond to Congressional and public inquiries are reliable.”1

Failure to meet CMS specifications can result in enforcement of corrective actions that could lead to possible plan payment reductions and/or penalties under the False Claims Act. Adequate preparation for this audit is critical to shore up areas of weakness that could adversely affect the outcome of the audit and hinder your organization’s current position and future growth into new markets.

Challenges and Opportunities

The Data Validation Audit consists of an in-depth review of the policies, procedures, systems and documentation that support the compilation of the Part C and D measures. In preparation for this audit, plans are required to complete the Organizational Assessment Instrument (OAI), which provides a roadmap to the auditor for understanding and assessing the plan’s compliance with CMS standards.

Some of the common obstacles to undergoing such an audit successfully include:

  • Missing or incomplete policies and procedures
  • Manual, undocumented steps in the compilation of some measures
  • Functions delegated to third parties that may not be well-documented, adequately monitored or thoroughly understood
  • Lack of technical documentation that describes the consolidation, translation and compilation of the underlying data and source systems

Pulling together the OAI alone can uncover significant gaps in the reporting structure that would not meet CMS standards.

Our Point of View

MAOs and Part D sponsors should begin preparing for the CMS-required data validation audit as soon as possible, particularly if they have received outlier status in any areas related to the measures that are part of this review.

Plans should begin their efforts with two steps:

  1. Remediate areas that received CMS outlier notifications, which affect the in-scope measures.
  2. Begin populating the OAI, using it as a roadmap to review each measure methodically.

Using the OAI as a tool, each measure should be reviewed for areas that do not comply with CMS standards. These deficiencies should be assessed and prioritized accordingly, with plans put in place for proactive remediation. Plans should also consider mock or pilot audits to uncover some of the more detailed or technical deficiencies.

How We Help Companies Succeed

Protiviti has monitored the evolution of the data validation audit requirements and has developed an approach to assist MAOs and Part D organizations in complying with them. Our expertise in compliance, process improvement and technology can help these organizations to not only prepare for the audit, but also implement the institutional changes needed to improve corporate policies and procedures, monitor and maintain technical documentation, and develop internal staff knowledge and expertise as change and improvements are integrated into their organizations.

Protiviti’s industry and technical expertise meets the CMS qualifications for the independent third-party conducting the data validation audit. The framework below provides the foundation of our approach to execute the CMS requirements efficiently and effectively.

Protiviti’s collaborative approach coupled with industry experience helps organizations not only during the execution of the data validation audit, but also through the crucial preparation period. We will:

  • Provide an organized plan for audit preparation.
  • Ensure thorough preparation of documentation required for the data validation, namely the OAI.
  • Facilitate coordination with company delegates related to in-scope measures.
  • Address deficient documents, policies and processes prior to the audit.
  • Perform readiness or pilot audits prior to the 2011 audit period to identify weaknesses.
  • Perform the data validation audit in a complete and timely manner.


A health plan selected Protiviti to help implement its readiness methodology for the CMS data validation audit. We worked with our client to:

  • Develop a program that included a strategic assessment of the organization’s current reporting governance structure.
  • Identify systems, data and quality review programs that support CMS reporting for both internal and delegated entities.
  • Complete the Medicare-required OAI and confirmation of sufficient supporting documentation.
  • Complete a validation readiness pilot, limited to a cross-section of reports.

The readiness methodology measures compliance, recommends process changes and identifies efficiencies to close existing gaps. This will result in a substantially faster turnaround of a high-quality audit beginning in 2011.

Susan Haseley
Alex Robison
Richard Williams

Ready to work with us?