CMS Audits on the Horizon: Prepare for Increased CMS Audits Under the Sunshine Act

May 14, 2024

Historically, the Centers for Medicare and Medicaid Services (“CMS”) has not aggressively pursued enforcement activity under the Sunshine Act. However, this may change in 2024. Late last year, CMS updated its Open Payments FAQs, adding three questions specifically related to Sunshine Act audits. This suggests that CMS may be preparing to conduct more audits soon. Additionally, CMS’s annual report to Congress requested an increased budget to support ongoing operations and enhancements related to the Open Payments program. CMS also reports an increase in pre-demand letters and civil monetary penalties imposed under the Sunshine Act; CMS pursued nine enforcement events in FY 2022, three in FY 2021, and seven in FY 2020. Together, these developments signal a shift towards increased audits and enforcement.

Sunshine Act Overview

The Physician Payments Sunshine Act (the "Sunshine Act"), originally enacted as part of the Patient Protection and Affordable Care Act, requires medical device and drug manufacturers to annually report payments and transfers of value provided to "covered recipients" (e.g., physicians, teaching hospitals, certain advanced practice nurses). CMS operates the program known as the Open Payments Program. The Sunshine Act promotes transparency and accountability in the U.S. healthcare system.

Audits and Penalties for Noncompliance

The Department of Health and Human Services (“HHS”), CMS, the HHS Office of Inspector General (“OIG”), and their designees have the authority to audit reporting entities to ensure compliance with the Sunshine Act. Civil monetary penalties (CMPs) of up to $1,500,000 (adjusted annually) may be imposed on reporting entities for violations of the Sunshine Act.

CMS’s New Sunshine Act FAQs

CMS’s new Sunshine Act FAQs shed some light on the audit process:

1. How will CMS select companies to audit?

CMS states that any reporting entity may be selected for audit. The selection is based on a combination of risk-based criteria and random selection. Risk-based criteria include credible tips, unusual and inconsistent reporting patterns, data irregularities, and a history of noncompliance (FAQ #2026).

2. How will CMS notify companies they are being audited?

CMS will notify companies of impending audits by mail and email, using the addresses provided during the Open Payments registration or recertification process (FAQ #2025).

3. What can companies expect during a Sunshine Act audit?

The processes and procedures used during an audit will depend on the audit's reason and scope. Audited companies should ensure they have ready access to any information pertaining to compliance with Open Payments program requirements (FAQ #2027). CMS provides a non-exclusive list of example records that audit targets should have readily available:

  • Receipts or checks;
  • General ledgers;
  • Contracts and agreements;
  • Standard operating procedures;
  • Board meeting notes; and,
  • Any other documents capturing data concerning payments or transfers of value to covered recipients.

While the new FAQs provide some clarity on the audit process, several key questions remain unanswered. The FAQs do not specify the volume or frequency of audits CMS plans to conduct. Companies will need to stay vigilant and ensure their compliance practices are robust and comprehensive to mitigate the risk of being audited.

How to Prepare for a Sunshine Act Audit

Given the increasing likelihood of Sunshine Act audits, companies should be proactive in their preparation. Here are some actionable steps for reporting entities to take:

  • Review and update Policies. Review and update your compliance policies and procedures to align with the latest Sunshine Act requirements and CMS guidelines.
  • Conduct Internal Sunshine Act Audits. Periodically perform internal audits to identify and rectify any compliance gaps. This can help in ensuring all data reported is accurate and complete.
  • Maintain Records. Keep detailed and organized records of all transactions, including receipts, checks, general ledgers, contracts, and other relevant documents. Ensure these records are easily accessible.
  • Train Your Team. Provide regular training to employees involved in the reporting process. Ensure they understand the Sunshine Act's requirements and the importance of accurate reporting.
  • Monitor Reporting Patterns. Establish a system for monitoring and reviewing your reporting patterns. Look for any unusual or inconsistent patterns that could trigger an audit.
  • Prepare for Communication. Ensure that your contact information is updated in the Open Payments system. Designate a point person to handle any communications with CMS regarding audits.

By taking these steps, companies can better position themselves to respond effectively to a Sunshine Act audit and mitigate the risk of enforcement action.

Contact Us

If you have questions or concerns about the possibility of facing a Sunshine Act audit in 2024 (and beyond) or need help preparing, contact Gardner Law.