Conducting a Compliance Program Assessment for an MSSP Accountable Care Organization

January 18, 2021

A functional compliance program is the first line of defense for a Medicare Shared Savings Program (“MSSP”) Accountable Care Organization (“ACO”) preventing, detecting and correcting noncompliance.

When effective, an ACO’s compliance program sets standards and assists with identifying risk, ensuring open lines of communication on compliance issues, implementing training to enforce standards, preventing the ACO and participants from employing individuals sanctioned by the government, conducting internal monitoring and auditing and, when offenses are reported or detected, promptly responding to threats through corrective action and required reporting.

Utilizing Centers for Medicare and Medicaid Services (“CMS”) guidelines, an ACO’s Compliance Officer (“CO”), as part of their principal duties, should evaluate whether the ACO has developed an effective compliance program as required in 42 CFR Part 425,1 as well as other applicable state and federal regulatory standards.

If it has not already been put in place, the CO should develop a compliance work plan and audit tools that verify whether the ACO has a compliance foundation or a “culture of compliance” upon which to build.

In order to verify whether the ACO has implemented a “culture of compliance,” the CO should start documenting assurances that ACO participants, providers, suppliers and other downstream contractors are: (1) maintaining compliance standards; (2) educated about compliance issues; (3) in possession of resources to adequately and quickly identify, communicate and correct operational/compliance vulnerabilities; and (4) meeting professional standards applicable to the ACO and its core values.

Overview of MSSP Requirements

The Intent of the MSSP

The MSSP was first conceived from a Physician Group Demonstration Project during the George W. Bush administration.2 Under the Patient Protection and Affordable Care Act (“PPACA”)3 the MSSP was codified into law. CMS developed the MSSP to allow physicians, hospitals, and others involved in patient care “to be held accountable for the quality, cost, and experience of care of an assigned Medicare fee-for-service (FFS) beneficiary population.”4 In this model, separate healthcare provider organizations come together as a single healthcare entity to ensure coordinated care for their patients. In other words, under the ACO model, separate provider types are responsible for working together to make sure that their patients, especially the chronically ill, “get the right care at the right time, while avoiding unnecessary duplication of services and preventing medical errors.”5

In order to participate in the MSSP, ACOs must demonstrate that they serve at least 5,000 Medicare beneficiaries and must maintain enough providers to serve those beneficiaries.

Participating ACOs must also agree to promote and develop the following:

  • Evidence-based medicine
  • Beneficiary engagement by offering incentives to maintain good health
  • A method for linking quality and financial performance and report regularly on both quality and cost
  • Coordinated care within the ACO

Since the MSSP started in 2012, CMS has seen significant growth in ACO participation. According to CMS data, in 2012, MSSP enrolled 220 ACO participants serving 3.2 million Medicare beneficiaries. By 2018, there were 561 ACOs participating in the MSSP (out of 649 total) that were serving a combined 10.5 million Medicare beneficiaries. In 2013, CMS rewarded approximately $316 million in performance payments. By 2016, that number grew to more than $700 million.6

Quality Benchmarks

Through quality performance benchmarks, participants in the ACOshare in savings earned from providing high-value, high-quality care. MSSP rewards ACOs that lower health care costs – or, more specifically, lower growth in Medicare Parts A and B fee-for-service (“FFS”) – while simultaneously meeting performance standards on quality of care and putting patients first.7 To demonstrate that the ACO is meeting its quality standards, the ACO is required to meet established quality performance standards on 31 measurements that fall into one of four quality domains:

  • Patient/caregiver experience
  • Care coordination/patient safety
  • At-risk population
  • Preventive care 8

The Importance of ACO Data Accuracy

As it is the policy for ACOs to pay out shared savings, or allocate shared losses, realized through the contractual arrangements for the MSSP in a way that aligns program performance with the ACO’s participant performance, ACO participants, ACO providers/suppliers and other individuals, including ACO employees or entities that have entered into agreements with the ACO for the performance of functions of services related to the ACO’s activities, must be fully committed to patient-centered care that focuses on proactive health maintenance.

However, merely delivering patient-centered care, in and of itself, does not assure the ACO’s success. All ACO participants are required to ensure that any information documented in patient records and business applications is accurate, complete and truthful, including quality measure documentation and beneficiary notification tracking.9

The documentation of correct information so that the ACO can, in turn, meet its own annual reporting requirements to CMS is critical to the ACO receiving financial rewards.

Beneficiary Notification

A beneficiary’s participation in an ACO’s coordinated care model is optional; each beneficiary has the right to opt-out of ACO coordinated care data sharing and the right to choose a healthcare provider regardless of MSSP participation.10 For this reason, CMS requires healthcare providers to notify patients that it is participating in an ACO. Therefore, if a beneficiary chooses to opt-out of the model, the ACO cannot receive quality rewards based on that beneficiary’s health outcomes.

The Assessment: Required Elements of an Effective ACO Compliance Program

According to 42 CFR § 425.300, five (5) distinctive elements are required to constitute an effective ACO compliance program.

  • Element# 1 – The appointment of a “designated compliance official or individual who is not legal counsel to the ACO and reports directly to the ACO governing body.”11
  • Element# 2 – The development and implementation of “mechanisms for identifying and addressing compliance problems related to the ACO’s operations and performance.”12
  • Element# 3 – “A method for employees or contractors of the ACO, ACO participants, ACO providers/suppliers, and other individuals or entities performing functions or services related to ACO activities to anonymously report suspected problems related to the ACO to the compliance officer.”13
  • Element# 4 – The provision of “compliance training for the ACO, the ACO participants, and the ACO providers/suppliers.”14
  • Element# 5 – A requirement for the ACO to report “probable violations of law to an appropriate
    law enforcement agency.”15

The following section will reiterate each element and recommend what steps an ACO CO can take to assure compliance.

Element# 1The appointment of a “designated compliance official or individual who is not legal counsel to the ACO and reports directly to the ACO governing body.”

To meet this element, the CO must assure they are exclusively committed to and focused on the ACO. As a first step, the CO should establish a Compliance Committee consisting of business leaders and partners from diverse departments and verify that regular meetings are scheduled for the entire year. Prior to each meeting, the CO should draft and distribute an agenda to assure that the committee is aware of relevant compliance issues/concerns. Minutes should be taken at each meeting and ultimately distributed to the ACO’s board for review. The Compliance Committee, along with ACO leadership, should update the full board and staff on a regular basis on any implementation of compliance initiatives and assure that board meetings have compliance issues as a standing agenda item.

To ensure the ACO is compliant with CMS requirements, the CO should be expected to do the following, which should also be included in the CO’s job description:

  1. The CO must report directly and exclusively to the CEO and Board of Directors.16
  2. The CO must report consistently to the ACO’s governing body on the activities and status of Compliance Program, including issues investigated, identified and resolved by Compliance Program.
  3. The CO will have broad responsibility for the Compliance Program, including:
    • a. Develop and/or review policies and procedures that implement the Compliance Program.
    • b. Attend operational staff meetings.
    • c. Monitor compliance performance by operational areas.
    • d. Enforce disciplinary standards, ensuring consistency.
    • e. Implement systems for assessment of risk.
    • f. Develop an annual working plan inclusive of scheduled operational and data audits.
    • g. Review auditing and monitoring reports.
    • h. Develop and/or review procedures for participant oversight.
    • i. Coordinate with Human Resources.
    • j. Monitor effectiveness of corrective actions.

Finally, it should be noted that attorneys can serve as COs of an ACO, however, legal counsel for the ACO cannot also serve as the authorized, designated CO. The legal counsel to the ACO and the CO of the ACO must be different individuals.17

Element# 2The development and implementation of “mechanisms for identifying and addressing compliance problems related to the ACO’s operations and performance.”

The CO should propose to the Compliance Committee to conduct a risk assessment followed by an annual compliance work plan inclusive of an internal audit schedule.

The most common ACO compliance risks include failure of ACO Participants to comply with the following:18

  • Physician self-referral prohibition;
  • Civil monetary penalties (CMP) law;
  • Federal anti-kickback statute;
  • Medicare laws and regulations relevant to ACO operations; and
  • Record retention requirements under 42 CFR § 425.314[b].

Additional potential risks include:

  • Failure to record accurate specific financial and quality measurement data
  • Improper coding;
  • Presence of beneficiary and provider complaints;
  • The engagement or practice of avoiding at risk beneficiaries; and
  • Failure to adhere to ACO governance requirements.

Consistent internal audit findings should be incorporated into the Compliance Department’s organization-wide risk assessment, which may influence additional auditing, monitoring, and future compliance training and education. An effective compliance auditing and monitoring work plan will proactively position the ACO to show evidence of compliance with relevant regulations, payer contract and its own participation agreements.

Element # 3“A method for employees or contractors of the ACO, ACO participants, ACO providers/suppliers, and other individuals or entities performing functions or services related to ACO activities to anonymously report suspected problems related to the ACO to the CO.”

An ACO should establish several options for ACO participants to report compliance issues, including a functioning compliance hotline. Regardless of how the compliance violation is reported, it should be documented and reviewed by the ACO and Compliance Committee to assure that it is investigated
and resolved.

However, merely having channels for participants to report issues of non-compliance is not enough. The ACO leaders should regularly endorse a “culture of compliance” to ACO participants so that they are comfortable reporting compliance issues.

Element# 4The provision of “compliance training for the ACO, the ACO participants, and the AC providers/suppliers.”

The CO should ensure that all ACO participants (and ACO providers/suppliers) complete mandatory ACO specific compliance training on, at the very minimum, an annual basis. The ACO must continue to provide ACO-specific compliance training to ensure consistency across the organization. The compliance training should continually be updated and reviewed to focus on ensuring that the ACO participants know and understand their legal obligations, the risk areas within the ACO, and how to report compliance concerns.

In addition to notifying training attendees of their compliance obligations, the training will ensure that all recipients understand the ACO’s legal obligations with respect to its operations. The CO should make this training available via webinar to allow for the ACO to reach any widespread participants. Following the webinar training, signed attestations of attendance and understanding should then be collected.

The ACO should provide all new ACO participants with access to its Compliance Program, policies, procedures and Code of Conduct. The Code of Conduct complements the Compliance Program by laying out principles regarding ethical and responsible business practices that guide ACO parties for purposes
of preventing and detecting violations of laws and regulations, as well as violations of internal policies and procedures.

Once in receipt of the compliance training, all ACO participants should:

  1. Acknowledge compliance with the ACO’s Compliance Program including, but not limited to, the Code of Conduct, upon becoming employed by, participating in, or providing items or services to the ACO and, thereafter, on an annual basis,
  2. Complete training session(s) covering the Compliance Program, the Code of Conduct, and other
    compliance-related topics,
  3. Read and understand the requirements of ACO policies and procedures related to their day-to-day job responsibilities, and
  4. Know to report suspected incidents of non-compliance to a supervisor, manager, or the CO either directly or through an established hotline.

The ACO should maintain detailed documentation of attendance and compliance with the training program, such as sign-in sheets and attestations.

Element# 5A requirement for the ACO to report “probable violations of law to an appropriate law enforcement agency.”

There is no distinct line between various events that may require reporting to governmental agencies pursuant to existing state or federal laws (i.e. reportable events) and those that may require notification or reporting to the ACO’smanagement according to existing policies and procedures.

Organizational leaders and supervisors play a key role in responding to compliance questions whether or not they rise to the level of a “reportable event.”

While the ACO should encourage participants to discuss compliance concerns and report issues through normal business channels, the Compliance Program should also include specific language listing the name and contact information of the appropriate law enforcement agency for various violations of law. For this reason, the ACO should also establish and maintain a “reportable events” policy.

Typically, a “reportable event” is anything that involves:

  1. An overpayment of the ACO;
  2. A matter that a reasonable person would consider a probable violation of criminal, civil, or administrative laws applicable to any federal healthcare program for which penalties or exclusion may be authorized
  3. The ACO employing or contracting with an Ineligible Person; or
  4. The filing of a bankruptcy petition by the ACO.

Under the “reportable events” policy, if the ACO determines (after a reasonable opportunity to conduct an appropriate review or investigation of the allegations), through any means, that there is a reportable event, the ACO should notify the Office of the Inspector General (“OIG”) within 30 days of making the determination that the reportable event exists.

Additional Elements of the ACO Compliance Program for CO Review

Disciplinary Policies

The purpose of ACO disciplinary policies are to set and maintain standards of conduct within the ACO. Disciplinary policies typically include the Code of Conduct and the Compliance Program, to encourage good faith participation in the ACO’s Compliance Program. These policies should outline sanctions, including discipline up to and including termination of employment, contract, and/or other affiliation with the ACO for (i) failing to report compliance issues and/or (ii) participating in, encouraging or directing non-compliant behavior.19

Non-Retaliation Policy

The ACO should have a policy that strictly prohibits any form of retaliation against a person who raises a compliance issue or participates in the Compliance Program. An ACO should document that it will not tolerate retaliation or retribution against those who, in good faith, report actual or suspected instance of non-compliance, questions, issues or concerns. The ACO leadership should investigate any reports of such retaliation or retribution and take appropriate disciplinary measures up to, and including, termination.

Written Policies and Procedures and the Compliance Plan

In addition to written operational policies and procedures, the ACO should also draft a Code of Conduct and Compliance Plan to describe compliance expectations, implement the Compliance Program and provide compliance guidance to ACO participants and others, identify ways to communicate compliance issues and describe how compliance issues are investigated and resolved. Oversight of the maintenance of these written documents should be the responsibility of the CO and should be available for all ACO participants in electronic format and hard copy. These documents should be updated, revised, or redrafted due to changes or revisions to existing operations, laws, regulations, or other authorities as needed.


The Compliance Plan, Code of Conduct, and policies and procedures, as well as compliance training for all employees and participants, demonstrate an ACO’s commitment to meeting its compliance requirements.

However, despite these efforts, every ACO also needs to have the resources to fully implement a top-down “culture of compliance,” which is essential to adhering to its documented compliance standards. Merely documenting a Compliance Program cannot effectively prevent, detect, and resolve potentially non-compliant and illegal conduct including fraud, waste, and abuse of government program funds by those participating in, or otherwise providing services to, the ACO.

An ACO is governed by numerous requirements for the MSSP, as covered in 42 CFR Part 425, as well as other applicable state and federal regulatory standards. It is virtually impossible for an ACO to rely solely on the CO to ensure its and its participants consistent adherence to relevant regulations. All contracts or arrangements between an ACO and its participants require compliance with the ACO’s MSSP participation agreement as well as all applicable laws and regulations.

For example, as an ACO continues to enter into strategic partnerships with diverse payers, clearly identified and properly resourced staff and members will be required to ensure that participants, per their contractual requirements, are taking actionable steps on the health data being disseminated by the ACO. If the ACO is unable to verify whether participants are addressing gaps in care, achieving CMS quality performance benchmarks, or providing cost-effective care as per their contract with the ACO, it will ultimately be non-compliant with CMS and its strategic payers.

The CO needs to ensure that:

  1. Detailed policies and procedures are being distributed to appropriate participants,
  2. Identified issues are reported through regular, documented meetings to the Compliance Committee on a timely basis for consideration as necessary;
  3. Identified issues are reported to the CEO or Board of Directors by the CO;
  4. There is follow-up training and education of staff involved with the compliance issue;
  5. There is necessary communication between the COand staff and management;
  6. The ACO is able to take consistent, timely, and appropriate disciplinary action;
  7. Risk assessments are being completed;
  8. Participant monitoring and auditing are being completed to ascertain possible fraud, waste or abuse;
  9. Root cause analysis is being completed and documented; and
  10. Timely and effective corrective actions are being implemented.

The CO needs to lead the charge in promoting a culture of compliance at all levels within the organization. Having an effective compliance program is an ongoing process that requires buy-in from all ACO participants. An effective compliance plan is not a static document- it is proactive, responsive, and changes according to the needs of the organization.

To learn more about how Mazars can help you, click here.

1 42 CFR § 425.300 Compliance Plan
2 National Association of ACOs (NAACOS)
3 Patient Protection and Affordable Care Act, 42 U.S.C. § 18001 (2010).
5 American Hospital Association (AHA)
7 CMS Overview of Select Alternative Payment Models (March 3, 2016)
8 Medicare Shared Savings Program Quality Measure Benchmarks for the 2020/2021 Performance Years
9 42 CFR § 425.302(a)(2)
10 42 CFR § 425.312, 42 CFR § 425.708, and 10 NYCRR 1003.6
11 42 CFR § 425.300 (a)(1).
12 42 CFR § 425.300(a)(2)
13 42 CFR § 425.300(a)(3).
14 42 CFR § 425.300(a)(4)
15 42 CFR § 425.300(a)(5).
16 See 42 CFR § 425.300(b)(1); see also, 76 Fed. Reg. 67802, 67952.
17 76 FR 67802, 67952.
18 NYC Health and Hospitals, Office of Corporate Compliance, HHC ACO, Inc. Compliance Plan
19 NYC Health and Hospitals, Office of Corporate Compliance, HHC ACO, Inc. Compliance Plan


Related posts

Our powerful combination of service and results-oriented strategy helps clients meet their business goals, overcome challenges, and improve performance. Health systems around the world are seeking to deliver better patient outcomes against a backdrop of financial pressures and challenging performance targets. This means many providers are asking how they can

Read More

Who Should Consider the CMS Direct Contracting Program? Justin Frazer | Director, Healthcare Consulting Practice | Mazars Devon Judge | Manager, Healthcare Consulting Practice | Mazars Click Below to Watch this Video ​ Key Items Considered What is the Direct Contracting Program Reducing Administrative Burdens and Growing Patient Volume What Should Interested Applicants

Read More

Without a threatening letter from a regulatory agency or an external investigation from a large client, it can be difficult for a healthcare vendor or provider to justify developing a compliance program. Today’s consensus is that limited financial and human resources would be better served for market growth or another

Read More

Copyright 2021 - Mazars - United States