GAO-11-269R, Medicare Part D: CMS Conducted Fraud and Abuse Compliance Plan Audits, but All Audit Findings Are Not Yet Available


This is the accessible text file for GAO report number GAO-11-269R 
entitled 'Medicare Part D: CMS Conducted Fraud and Abuse Compliance 
Plan Audits, but All Audit Findings Are Not Yet Available' which was 
released on March 21, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-11-269R: 

United States Government Accountability Office: 
Washington, DC 20548: 

February 18, 2011: 

The Honorable Thomas R. Carper: 
Chairman: 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable John McCain: 
United States Senate: 

Subject: Medicare Part D: CMS Conducted Fraud and Abuse Compliance 
Plan Audits, but All Audit Findings Are Not Yet Available: 

The Medicare Part D program, administered by the Department of Health 
and Human Services' (HHS) Centers for Medicare & Medicaid Services 
(CMS), provides a voluntary, outpatient prescription drug benefit for 
eligible individuals 65 years and older and eligible individuals with 
disabilities. CMS contracts with private companies--such as health 
insurance companies and companies that manage pharmacy benefits--to 
provide Part D prescription drug plans for Medicare beneficiaries. 
These companies are referred to as Part D sponsors.[Footnote 1] About 
27 million individuals were enrolled in Medicare Part D as of December 
2009, and estimated Medicare Part D spending was $51 billion in fiscal 
year 2009. Because of Medicare's vulnerability to fraud, waste, and 
abuse, GAO has designated Medicare as a high-risk program.[Footnote 2] 
We and HHS's Inspector General have previously reported that the size, 
nature, and complexity of the Part D program make it a particular risk 
for fraud, waste, and abuse.[Footnote 3] 

The Medicare Prescription Drug, Improvement, and Modernization Act of 
2003 (MMA), which established the Part D program, requires all Part D 
sponsors to have programs to safeguard Part D from fraud, waste, and 
abuse.[Footnote 4] CMS is responsible for managing and overseeing the 
Part D program. CMS regulations require Part D sponsors to have 
compliance plans that must include measures that detect, correct, and 
prevent fraud, waste, and abuse.[Footnote 5] In April 2006, CMS issued 
guidance in chapter 9 of its Medicare Part D Prescription Drug Benefit 
Manual on the seven required elements of these plans.[Footnote 6] (See 
table 1.) These compliance plans, which must be approved by CMS, 
articulate policies, processes, and procedures for Part D sponsors to 
detect, correct, and prevent fraud, waste, and abuse. Implementation 
of a compliance plan includes conducting the activities described in 
the plan and developing comprehensive written procedures for 
activities referenced in the plan. 

Table 1: Description of Required Medicare Part D Sponsors' Compliance 
Plan Elements for Fraud and Abuse Programs: 

Compliance Plan Elements: Written Policies, Procedures, and Standards 
of Conduct; 
Description: Include written policies, procedures, and standards of 
conduct articulating the organization's commitment to comply with all 
applicable federal and state standards. 

Compliance Plan Elements: Compliance Officer and Compliance Committee; 
Description: Designate a compliance officer and a compliance committee 
that are accountable to senior management. 

Compliance Plan Elements: Effective Training and Education; 
Description: Include effective training and education pertaining to 
fraud, waste, and abuse for the organization's employees and 
contractors. 

Compliance Plan Elements: Effective Lines of Communication; 
Description: Include effective lines of communication among the 
compliance officer and the organization's employees, contractors, 
directors, and the members of the compliance committee. 

Compliance Plan Elements: Enforcement of Disciplinary Standards; 
Description: Have well-publicized disciplinary guidelines through 
which sponsors enforce standards and encourage participation in the 
compliance program. 

Compliance Plan Elements: Internal Monitoring and Auditing; 
Description: Establishing and implementing effective routine systems 
for monitoring and identifying compliance risks. 

Compliance Plan Elements: System to Promptly Respond and Investigate 
Potential Compliance Issues; 
Description: Include procedures for ensuring prompt responses to 
detected offenses, developing corrective action initiatives, and 
making timely inquiries into potential offenses. 

Source: GAO summary of regulations. 

[End of table] 

CMS oversees Part D sponsors' fraud and abuse programs and may conduct 
audits to ensure that sponsors are in compliance with program 
requirements.[Footnote 7] Specifically, the Center for Medicare, 
Program Compliance and Oversight Group (CM/PCOG)--the lead office for 
CMS's Part D audits (including compliance plan audits) and enforcement 
of program requirements--coordinates with the Center for Program 
Integrity (CPI)--the focal point for program integrity, fraud, and 
abuse issues--to oversee fraud and abuse program compliance. CMS has 
contracted with Medicare Drug Integrity Contractors (MEDICs) to 
support its Part D audit efforts.[Footnote 8] 

In a March 2010 hearing, we and CMS described the extent of CMS's 
oversight of Part D sponsors' programs to control fraud, waste, and 
abuse, including its past efforts and planned oversight activities. 
[Footnote 9] CMS's testimony detailed several of the agency's program 
integrity activities, including its plans to conduct on-site 
compliance plan audits using newly developed audit protocols focused 
on evaluating and validating the effectiveness of sponsors' compliance 
plans, including measures to detect, correct, and prevent fraud, 
waste, and abuse.[Footnote 10] At that time, CMS reported that the 
agency had completed 16 desk audits (reviews of requested documents 
only) between October 2008 and April 2009 and two pilot on-site audits 
(interviews and face-to-face evaluations in addition to document 
reviews) of selected Part D sponsors' compliance plans and planned to 
conduct additional on-site compliance plan audits by April 2010. Until 
these were completed, however, we could not assess the effectiveness 
of those audits in ensuring that Part D sponsors had compliance 
programs in place. You asked us to examine the extent of CMS's 
implementation of planned oversight of Part D sponsors' compliance 
plans to ensure that sponsors have effective programs in place to 
protect Part D from fraud, waste, and abuse. Specifically, this report 
provides an update on the status of CMS's implementation of on-site 
audits of sponsors' compliance plans that the agency described in its 
March 2010 testimony. 

To conduct our update of CMS's implementation of on-site audits of 
Part D sponsors' compliance plans that CMS described in its March 2010 
testimony, we examined recent CMS progress and relied on our 2008 
report and our 2010 testimony.[Footnote 11] To update the status of 
CMS's implementation of on-site audits, we interviewed officials from 
CMS's CM/PCOG and CPI and reviewed agency documents that included 
CMS's audit strategy and compliance plan audit protocols. We did not 
evaluate the results or effectiveness of CMS's oversight activities 
and audits. To describe the number of enrollees in audited plans, we 
report CMS's published enrollment statistics as of April 2010. We 
conducted this performance audit from November 2010 through February 
2011 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objective. 

CMS Conducted Planned 2010 On-Site Audits of Sponsors' Compliance 
Plans; All Audit Findings Are Not Yet Available: 

CMS conducted its planned on-site compliance plan audits of 33 
sponsors in 2010. Findings for all of these 2010 audits are not yet 
available; however, CMS anticipated finalizing them in early 2011. 

CMS Conducted Planned On-Site Compliance Plan Audits of 33 Sponsors in 
2010: 

Consistent with the audit plans CMS officials reported to us in 
February 2010, the agency scheduled on-site compliance plan audits to 
assess more thoroughly the effectiveness of sponsors' fraud and abuse 
programs. CMS officials reported that the agency scheduled and 
conducted on-site compliance plan audits of 33 of the 290 Medicare 
Part D sponsors in 2010, the majority of which were conducted as part 
of wider risk-based on-site performance audits. Performance audits are 
also conducted by CM/PCOG and assess compliance with certain CMS 
program requirements, such as Part D formulary administration and 
compliance plans, that CMS considers to be at risk for deficiencies or 
compliance issues.[Footnote 12] In auditing sponsors' compliance 
plans, CM/PCOG audits sponsors' implementation of the compliance plan 
requirements, including a fraud and abuse program for Part D. CMS 
officials stated that although the performance audits conducted in 
2010 assessed Part D sponsors' compliance plans, the audits did so as 
part of overall assessments of sponsors' compliance with all Medicare 
requirements. While performance audits are more expansive than the 
compliance-plan-only audits, CMS's completion of these on-site audits 
was consistent with their plans to complete compliance plan audits 
that they reported to us in February 2010. The audits were conducted 
by CMS central and regional staff as well as CMS contractors between 
January and September 2010.[Footnote 13] The 33 sponsors represented 
11 percent of Part D sponsors, 56 percent of plans, and covered 62 
percent of enrolled beneficiaries in 2010 according to agency 
officials.[Footnote 14] 

CMS used a 2010 risk assessment--which was informed by a focused 
fraud, waste, and abuse evaluation--to choose sponsors for an on-site 
audit: either a compliance-plan-only audit or a wider performance 
audit that included an audit of the sponsor's compliance plan in 
addition to other program compliance areas. Specifically, the 
selection of sponsors subject to a compliance-plan-only audit was 
based on certain sponsors' inclusion in previously conducted: 

desk audits[Footnote 15] and other factors such as whether the sponsor 
was identified in a fraud, waste, and abuse evaluation conducted by 
one of the MEDICs.[Footnote 16] The selection criteria for sponsors 
subject to a performance audit (including a compliance plan audit) was 
based on CMS's 2010 risk assessment that included an evaluation of 
sponsors' past performance and enrollment including 
compliance/enforcement referrals as well as the MEDIC's focused fraud, 
waste, and abuse evaluation. Moreover, CMS officials told us that they 
used the risk assessment to schedule audits of sponsors that the 
agency concluded posed the most risk--those that had past performance 
problems, large enrollment,[Footnote 17] and/or were identified as 
high risk by the MEDIC's evaluation--to be audited first. In total, 22 
sponsors received a full on-site performance audit (that included a 
compliance plan audit) and 11 sponsors received an on-site compliance-
plan-only audit. (See table 2.) 

Table 2: On-Site Compliance Plan Audits Conducted in 2010: 

Audit conducted: Performance (including compliance plan)[C]; 
Sponsors[A]: Number: 22[D]; 
Sponsors[A]: Percentage of sponsors[B]: 8; 
Plans: Number: 2,227; 
Plans: Percentage of plans[B]: 37; 
Enrollees: Number: 10,863,791; 
Enrollees: Percentage of enrollees[B]: 37. 

Audit conducted: Compliance-plan-only performance; 
Sponsors[A]: Number: 11[E]; 
Sponsors[A]: Percentage of sponsors[B]: 4; 
Plans: Number: 1,122; 
Plans: Percentage of plans[B]: 19; 
Enrollees: Number: 7,203,639; 
Enrollees: Percentage of enrollees[B]: 25. 

Audit conducted: Total[F]; 
Sponsors[A]: Number: 33; 
Sponsors[A]: Percentage of sponsors[B]: 11; 
Plans: Number: 3,349; 
Plans: Percentage of plans[B]: 56; 
Enrollees: Number: 18,067,430; 
Enrollees: Percentage of enrollees[B]: 62. 

Source: GAO summary of CMS data. 

[A] CMS selects the top, or parent, level of sponsor organizations for 
performance audits, making all contracts and plans therein subject to 
the audit. 

[B] Calculated as percentage of total sponsors (N= 290), total plans 
(N= 6020), and enrolled beneficiaries (N= 29,147,145) in April 2010 
according to CMS. 

[C] All sponsors that were chosen for an on-site performance audit 
based on CMS's risk assessment also received an on-site compliance 
plan audit. 

[D] Nine of these sponsors received a compliance plan desk audit in 
2009. 

[E] Seven of these sponsors received a compliance plan desk audit in 
2009. 

[F] Due to rounding, percentages do not add up to 100 percent. 

[End of table] 

CMS officials reported that they piloted and developed new on-site 
compliance plan audit protocols that included interviews and reviews 
of documentation. Officials told us that they first conducted three on-
site performance audits between January and April 2010 as a result of 
enforcement/compliance referrals for those sponsors and used these 
audits as a testing ground for the on-site performance audit process, 
including review of the seven fraud and abuse elements of compliance 
plans. The agency then re-designed and tested the on-site performance 
audit process and protocols, including on-site compliance plan audit 
protocols, in a pilot audit before completing the remaining planned 
audits. Officials reported that they revised the on-site audit process 
and protocols throughout the audit process to incorporate lessons 
learned, making changes as necessary. The on-site compliance plan 
audit protocols included interviews with sponsor officials and on-site 
review of compliance plan implementation documentation for each of the 
seven fraud and abuse compliance plan elements.[Footnote 18] For 
example, to test sponsors' implementation of the requirement to have a 
Compliance Officer and Compliance Committee, auditors were to 
interview the Compliance Officer and Committee members as well as 
obtain relevant documentation. 

Complete 2010 Audit Findings Are Not Yet Available but Anticipated in 
Early 2011: 

As of February 2011, CMS had not made all audit findings available but 
had taken formal enforcement actions against several sponsors 
resulting from the on-site audits according to agency officials. CMS 
officials reported that they anticipated finalizing all audit findings 
in early 2011.[Footnote 19] Potential oversight or enforcement actions 
resulting from the audits could include issuing audit report notices, 
giving sponsors an opportunity to correct deficiencies, or where 
appropriate for serious violations, imposing civil monetary penalties, 
imposing intermediate sanctions, or terminating a contract. As of 
December 2010, officials reported that the agency had issued five 
marketing and enrollment sanctions and one contract termination action 
based, in part, on the results of these audit findings noting failure 
to comply with CMS compliance plan requirements. CMS officials also 
reported that they were deliberating about what, if any, additional 
enforcement actions should be taken as a result of audit findings. 
[Footnote 20] In addition, CMS officials told us they were reviewing 
the findings and the on-site audit processes programmatically to 
identify opportunities for improvements in its oversight mechanisms, 
in addition to addressing specific sponsor problems.[Footnote 21] 

Agency officials reported that although still in development, they 
anticipate completing their 2011 audit and oversight plans early in 
the year. Officials told us that they needed to finalize their audit 
findings, re-assess risks in the program, and assess agency resources 
before completing their audit strategy for 2011--which includes 
determining the number of compliance plan audits CMS will complete. 
The officials reported that, assuming CMS resources are available, any 
future compliance plan audits would be on-site rather than desk 
audits, as on-site audits provide a more thorough evaluation of 
sponsors and had a positive effect on educating sponsors about the 
importance of maintaining fraud and abuse programs. Officials we spoke 
with said they planned to improve future on-site audits based on their 
experience in 2010 as one monitoring tool they use to oversee 
sponsors' performance on a day-to-day basis. 

Agency Comments and Our Evaluation: 

We received technical comments on a draft of this correspondence from 
HHS, which we incorporated as appropriate. 

As arranged with your offices, unless you publicly announce the 
contents of this correspondence earlier, we plan no further 
distribution until 30 days from the date of this report. At that time, 
we will send copies of this correspondence to the Secretary of Health 
and Human Services and other interested parties. In addition, the 
report will be available at no charge on the GAO Web site at 
[hyperlink, https://www.gao.gov]. If you or your staff have any 
questions about this correspondence please contact me at (202) 512-
7114 or kingk@gao.gov. 

Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. GAO staff who 
made major contributions to this report are listed in enclosure I. 

Signed by: 

Kathleen M. King: 
Director, Health Care: 

Enclosure - 2: 

[End of section] 

Enclosure I: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Kathleen M. King at (202) 512-7114 or kingk@gao.gov: 

Acknowledgments: 

Martin T. Gahart, Assistant Director; Rebecca Abela; Jennel Harvey; 
Laurie Pachter; and Jennifer Whitworth were key contributors to this 
report. 

[End of section] 

Enclosure II: Related GAO Products: 

Medicare Fraud, Waste, and Abuse: Challenges and Strategies for 
Preventing Improper Payments. [hyperlink, 
http://www.gao.gov/products/GAO-10-844T]. Washington, D.C.: June 15, 
2010. 

Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and Abuse 
Programs Has Been Limited, but CMS Plans Oversight Expansion. 
[hyperlink, http://www.gao.gov/products/GAO-10-481T]. Washington, 
D.C.: March 3, 2010. 

Improper Payments: Improper Payments: Responses to Posthearing 
Questions Related to Eliminating Waste and Fraud in Medicare and 
Medicaid. [hyperlink, http://www.gao.gov/products/GAO-09-838R]. 
Washington, D.C.: July 20, 2009. 

Medicare Part D: Opportunities Exist for Improving Information Sent to 
Enrollees and Scheduling the Annual Election Period. [hyperlink, 
http://www.gao.gov/products/GAO-09-4]. Washington, D.C.: December 12, 
2008. 

Medicare Part D Prescription Drug Coverage: Federal Oversight of 
Reported Price Concessions Data. [hyperlink, 
http://www.gao.gov/products/GAO-08-1074R]. Washington, D.C.: September 
30, 2008. 

Medicare Part D Low-Income Subsidy: Assets and Income Are Both 
Important in Subsidy Denials, and Access to State and Manufacturer 
Drug Programs Is Uneven. [hyperlink, 
http://www.gao.gov/products/GAO-08-824]. Washington, D.C.: September 
5, 2008. 

Medicare Part D: Some Plan Sponsors Have Not Completely Implemented 
Fraud and Abuse Programs, and CMS Oversight Has Been Limited. 
[hyperlink, http://www.gao.gov/products/GAO-08-760]. Washington, D.C.: 
July 21, 2008. 

Medicare Part D: Complaint Rates Are Declining, but Operational and 
Oversight Challenges Remain. [hyperlink, 
http://www.gao.gov/products/GAO-08-719]. Washington, D.C.: June 27, 
2008. 

Medicare Part D: Plan Sponsors' Processing and CMS Monitoring of Drug 
Coverage Requests Could Be Improved. [hyperlink, 
http://www.gao.gov/products/GAO-08-47]. Washington, D.C.: January 22, 
2008. 

[End of section] 

Footnotes: 

[1] Part D sponsors offer drug coverage either through stand-alone 
prescription drug plans (PDP) or through Medicare Advantage 
prescription drug (MA-PD) plans for beneficiaries enrolled in Medicare 
Advantage, Medicare's managed care program. 

[2] GAO's audits and evaluations identify federal programs and 
operations that we determine are high risk due to their greater 
vulnerabilities to fraud, waste, abuse, and mismanagement. See GAO, 
High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 
2011). 

[3] GAO, Prescription Drugs: Oversight of Drug Pricing in Federal 
Programs, [hyperlink, http://www.gao.gov/products/GAO-07-481T] 
(Washington, D.C.: Feb. 9, 2007). U.S. House of Representatives Ways 
and Means Subcommittees on Health and Oversight, 110th Cong., March 8, 
2007 (testimony of Daniel R. Levinson, HHS Inspector General) and U.S. 
House of Representatives Oversight and Government Reform Committee, 
110th Cong., February 9, 2007 (testimony of Lewis Morris, Chief 
Counsel to the HHS Inspector General). 

[4] Pub. L. No. 108-173 � 101, 117 Stat. 2066, 2086 (adding Social 
Security Act �1860D-4(c)(1)(D)) (codified at 42 U.S.C. � 1395w- 
104(c)(1)(D)). Hereafter, we refer to programs to control fraud, 
waste, and abuse as fraud and abuse programs. 

[5] 42 C.F.R. � 423.504(b)(4)(vi) (2010). 

[6] The Prescription Drug Benefit Manual consists of multiple chapters 
related to various Part D program areas and outlines Part D program 
requirements and CMS guidance. The chapter in the manual entitled 
"Chapter 9--Part D Program to Control Fraud, Waste and Abuse" 
addresses fraud, waste, and abuse in Part D. In November 2010, CMS 
officials told us that they were in the process of updating chapter 9 
to reflect the final rule issued in 2010 that clarifies and codifies 
the existing policies regarding the required compliance plan elements. 
For example, CMS added language specifying the groups and individuals 
among a sponsor's employees that are required to have compliance 
training and education and that training should occur at least once a 
year and be made part of orientation for new employees and specified 
entities. 75 Fed. Reg. 19,678 (April 15, 2010)(amending 42 C.F.R. � 
423. 504 (b)(4)). 

[7] CMS is required to conduct financial audits for at least one-third 
of Part D sponsors each year. 42 U.S.C. � 1395w-112(b)(3)(C). These 
audits are outside the scope of this report. 

[8] There are two MEDICs--SafeGuard Services, LLC, and Health 
Integrity, LLC. 

[9] GAO, Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and 
Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion, 
[hyperlink, http://www.gao.gov/products/GAO-10-481T] (Washington, 
D.C.: Mar. 3, 2010). Our statement was based on a July 2008 report in 
which we found that CMS's oversight of Part D sponsors fraud and abuse 
programs was limited; specifically the agency had not conducted audits 
of sponsors' fraud and abuse programs as detailed in its 2005 Part D 
Oversight Strategy. Audits of fraud and abuse programs had not been 
conducted in 2006, 2007, or 2008. In addition, we found that certain 
sponsors had not completely implemented required elements for fraud 
and abuse programs. 

[10] Hearing on Oversight Challenges In The Medicare Prescription Drug 
Program, Before U.S. Senate Committee on Homeland Security and 
Government Affairs, Subcommittee on Federal Financial Management, 
Government Information, Federal Services and International Security, 
111th Cong. (Mar. 3, 2010) (Statement of Jonathan Blum, Director, 
Center for Medicare Management). 

[11] To conduct our evaluation of CMS's oversight for the July 2008 
report, we reviewed relevant laws, regulations, and CMS guidance to 
determine the elements of a comprehensive compliance plan including 
fraud and abuse programs. We also interviewed officials from CMS and 
the HHS's Office of the Inspector General (OIG). In addition, we 
reviewed documentation from CMS, including CMS's Part D oversight 
strategy, program audit strategies, contracts related to Part D 
program integrity efforts, and technical assistance provided by CMS 
specific to fraud and abuse programs. A detailed explanation of our 
methodology is included in our July 2008 report. To prepare our March 
2010 testimony statement, we interviewed officials from CMS and 
reviewed agency documents to obtain selected updated information on 
CMS oversight. 

[12] Other areas include Part D grievances, coverage determinations, 
redeterminations and appeals, enrollment and disenrollment, premium 
billing, etc. CMS told us that they use a risk assessment to determine 
which program area(s) represents risk for noncompliance, and then CMS 
conducts a performance audit on these areas. 

[13] MEDICs assisted CMS with completing its compliance plan audits 
under separate contracts with CM/PCOG and CPI according to CMS 
officials. CM/PCOG also contracted with an additional private 
contractor to assist CMS with conducting performance audits for 
requirements other than CMS's compliance plan requirements. 

[14] CMS selects the top, or parent, level of sponsor organizations 
for performance audits, making all contracts and plans therein subject 
to the audit. Therefore, for the purposes of this report, "sponsor" 
refers to the parent organization. Sponsors may have multiple 
contracts with CMS with each contract offering one or more distinct 
Part D plans. 

[15] CMS officials told us they selected all sponsors that received a 
compliance plan desk audit in 2009 for on-site compliance plan audit 
in 2010. Of the 16 sponsors that received a 2009 compliance plan desk 
audit, 9 were also selected for and received a wider performance audit 
based on CMS's 2010 risk assessment or compliance/enforcement 
referrals, and 7 received a compliance-plan-only audit. 

[16] The evaluation identified plans at risk for having poorly 
designed compliance plans through measures such as high complaint or 
grievance rates, poor outcomes from previous audits, or problems 
reporting required information to CMS. 

[17] Six of the audited sponsors had enrollment of over one million 
beneficiaries. 

[18] CMS officials told us that although they were in the process of 
updating guidance in chapter 9 of the Part D Prescription Drug Benefit 
Manual related to the rule issued in April 2010, the 2010 compliance 
plan audit protocols incorporated the changes made to CMS regulations 
because many of these requirements were already reflected in existing 
sub-regulatory guidance. 

[19] As of February 2011, CMS officials reported that the agency had 
issued compliance plan audit findings to the sponsors that were 
subject to 2010 enforcement actions in CMS's notice of those actions. 
Also, CMS had issued reports to sponsors for 11 of the compliance plan 
audits conducted. 

[20] In an additional effort to strengthen Part D oversight, CMS hired 
a contractor to assess the MEDIC program. That study was completed in 
April 2010. Officials told us that the agency made changes to its 
MEDIC oversight strategy for Parts C and D as a result of the study. 
Review of the MEDIC tasks are outside the scope of this report. 

[21] For our March 2010 testimony, CMS officials told us that in 
conducting the 16 desk and 2 pilot on-site audits they found that 
sponsors had deficiencies in implementation of two of the required 
compliance elements--internal auditing and monitoring and training and 
education. These findings were similar to our July 2008 findings. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO�s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: