Word count: 629
Estimated time to read: 4 minutes
Are you ready with NCQA’s 2023 standards, effective July 1, 2023, on UM and Credentialing System Controls?
These standards are high-risk because:
- they are Structural Requirements
- include Must-Pass Elements (UM 12A, UM 12C, and CR 1C)
- policies must be in place during your look-back period
- Delegation Agreements must include a description of the delegate’s UM/CR System Controls and at least annual monitoring; boilerplate or template language is acceptable (UM 13A and CR 8A) *
- require close oversight of delegated entities (UM 13C Factors 5 & 6 and CR 8C Factors 5 & 6)
- require monitoring (UM 12A, UM 12C, and CR 1C)
- delegate automatic credit is available under specific circumstances
*As of July 1, 2024, all Delegation Agreements must include the requirements for UM 13A Factor 4, and CR 8A Factor 4. For existing agreements in place prior to January 1, 2022, through HPA 2023 surveys, System Controls can be described in the Delegation Agreement or other mutually agreed upon document or policy.
As standards on System Controls are implemented, organizations encounter questions, and MHR has clarified these with NCQA. How would you respond?
I. Would you consider this scenario a system modification?
Scenario: An organization sends a notification letter with the number of approved and denied therapy visits, then sends a second letter correcting the number of approved visits after the case was closed. Both letters were auto-populated, each with its own date, and stored in the UM system.
Question: Is the date on the second letter considered a modification?
NCQA’s Answer: Yes, because there was a change to the UM information after the initial notification date was recorded in the system.
Why does this scenario matter?
Organizations identify the circumstances when modifications are appropriate in their policies and procedures (UM 12A 4).
Only modifications that do not meet the organization’s policies are required to be monitored.
II. When are entities that print and mail UM notification letters on behalf of a health plan or organization within the scope of System Controls oversight?
Scenario: An organization provides a flat file of member names and addresses to an entity to print and mail UM notification letters and returns this data to the organization.
Question: Is this scenario within the scope of System Controls under UM 13?
NCQA Answers: No, entities or vendors that do not store, create, modify, or use the data are not within the scope of System Controls.
If the entity that prints and mails letters for a health plan/organization has the capacity to modify or store UM data on the requestor’s behalf, then delegated oversight is required.
III. Is a letter sent to a corrected address within the scope of System Controls?
Scenario: A notification letter is sent to an incorrect address, then the organization sends a new letter to the corrected address.
Question: Is sending a new letter to a corrected address considered a modification?
NCQA’s Answer: As long as the organization uses the original notification date, then sending a letter to a corrected address would not be considered a modification.
One area of caution – If the organization’s UM system automatically adds a new date on the corrected letter, but the organization modifies the date back to the original one, then this is considered an acceptable modification and should be explained in the organization’s policies and procedures.
Note that NCQA provides updates on these standards frequently, and because our MHR team of independent consultants includes many NCQA surveyors, we provide summaries of these trainings to our clients.
Call to Action:
Review MHR’s March 2023 Blog on NCQA SYSTEM CONTROLS PROMOTE SYSTEM INTEGRITY for reminders on
- Contact MHR for assistance.
Managedhealthcareresources.com or
email Susan K. Moore at [email protected]
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.