In November 2023, the Centers for Medicare and Medicaid Services (CMS) updated its Open Payment Frequently Asked Questions (FAQs) document, adding three questions about Sunshine Act audits. Under the Physician Payments Sunshine Act, medical device and drug manufacturers are required to annually report payments and other transfers of value provided to “covered recipients” to CMS. CMS then publishes that data online via a publicly accessible database of payments.
Under the Sunshine Act, CMS, the Department of Health and Human Services (HHS), and the HHS Office of Inspector General (HHS OIG) have authority to audit reporting entities to ensure their compliance with reporting requirements. Civil monetary penalties of up to $1,500,000 may be imposed on reporting entities that fail to comply with the Sunshine Act.
Updated FAQs
As noted above, CMS updated its Sunshine Act FAQs in November 2023 to include three new FAQs surrounding the audit process.
One question, how will CMS select manufacturers and group purchasing organizations to audit, discussed that any reporting entity may be selected for an audit and that CMS “uses a combination of risk-based criteria and random selection to identify reporting entities for audit,” including factors such as prior history of non-compliance, credible third-party compliance tips, anomalies or inaccuracies in reported data, and unusual or inconsistent reporting patterns.
Another question focused on how a company would be contacted if they were audited. CMS stated that formal communications will be sent through the USPS, using the physical mailing address and email addresses provided by the company during the Open Payments registration or recertification process. CMS noted that it may use contractors to initiate and perform the audit.
The third question centered around audits and what a company could expect if they are selected for an audit. CMS stated that while each audit is unique and the audit process will depend on why the audit is being performed and the scope of the individual audit, a company should generally expect to need access to information that pertains to its compliance with Open Payments program requirements. This may include receipts or checks; general ledgers; copies of contracts or agreements; standard operating procedures or directions to employees regarding transfer of value tracking; board meeting notes; or anything else that captures data concerning payments or transfers of value to covered recipients.
CMS further noted that using a vendor or partner for marketing does not constitute an exception to reporting, and these types of payments should also be documented in case of an audit.
At the start of an audit, the organization will receive an audit notice letter from CMS. The organization will then be contacted by the CMS audit contractor and a phone conference will be scheduled to provide further instructions. All requested documentation should be uploaded to a secure portal. At the end of the audit, the organization will be presented with audit findings and given the opportunity to respond. CMS may also issue a letter outlining the steps for the entity to come into compliance or pursue civil monetary penalties, depending on the audit results.
Is an Increase in Audits Coming?
These three questions, combined with a requested budget increase by CMS to support operations and enhancements to the Open Payments program, may be indicative of a planned shift towards increased audits and enforcement under the program.