CASE STUDY: Centene Corporation. Compliance 360 GRC Software Suite

CASE STUDY: Centene Corporation Compliance 360 GRC Software Suite

2 CASE STUDY: Centene Corporation Background Centene Corporation is a leading multi-line healthcare enterprise that provides programs and related services to individuals receiving benefits under Medicaid, including Supplemental Security Income (SSI) and the State Children s Health Insurance Program (SCHIP). The Company operates Medicaid health plans in Georgia, Indiana, New Jersey, Ohio, South Carolina, Texas and Wisconsin. In addition, the Company contracts with other healthcare and commercial organizations to provide specialty services including behavioral health, life and health management, long-term care, managed vision, nurse triage, pharmacy benefits management and treatment compliance. Founded in 1984, this St. Louis based company went public in 2001, and has grown rapidly in recent years. Challenges With over $2.9 billion in annual revenues, Centene faces a complex regulatory environment. In addition to the department of insurance, its customers state Medicaid programs - are Centene s primary regulators. State Medicaid contracts With Compliance 360 GRC System Centene has: Eliminated sanctions for late filings and failures to notify Improved Wisconsin state policy and procedure compliance from 15% to 98% Improved compliance with Texas state requirements for complaint tracking from 15% non compliance to 100% compliance Reduced time spent managing policies and procedures by 95% Reduced time spent on corrective action plans by 70% Reduced time spent preparing annual regulatory reports by 75%

CASE STUDY: Centene Corporation 3 constitute the bulk of its regulatory requirements. Grounded in the Federal Medicaid Managed Care Regulations that were part of the Balanced Budget Act of 1997, these requirements are often more detailed than a commercial health plan s department of insurance regulations, and can vary from one state to the next, in terms of both the regulatory content and enforcement regimes. Furthermore, compliance with other federal and state regulations are often incorporated by reference in these contracts (i.e., the Health Insurance Portability Act and Deficit Reduction Act of 2005). Centene s regional and corporate offices face far more frequent and substantial reporting requirements than a comparable commercial health plan, and the consequences for failure to file or late filing can be significant. Non-compliance with reporting requirements carries the risk of administrative penalties and can also lead to the potential loss of the entire contract. This places a heavy burden on corporate risk administrators, who need to have a clear real-time assessment of regulatory risk while avoiding tying the hands of its regional compliance staff members. Objectives With SAI Global It was in this multi-state context of rapid growth and ornate state and federal regulatory requirements that Centene decided in 2005 to partner with SAI Global to help manage its compliance environment. The objectives behind this decision were to: 1. Strengthen the effectiveness of the compliance program; 2. Reduce overall risks and increase visibility to help ensure that regulatory requirements were being met; and 3. Reduce the cost of compliance through standardization and automation. According to Robert Miromonti, Vice President of Ethics and Compliance, Centene began using the Compliance 360 GRC System as a tool for automating the corporate code of conduct. While our people are the primary solution to the problem of regulatory risk, Compliance 360 is the tool they use. What s telling is that we haven t had a material compliance failure since we ve started using Compliance 360. Karen Fain Vice President of Internal Audit Training an ever growing employee base on an evolving code of conduct was an important yet time consuming task. Once that function was up and running, Centene turned to improving its compliance risk reporting. In Centene s Medicaid world, compliance with State contracts is the primary compliance risk and Miromonti wanted more transparency of subsidiary risk at the corporate level. Chasing paper at Centene s regional sites soaked up a lot of time and energy, with inconsistent results. Compliance 360 has enabled us to eliminate that paper chase and we now have the documentation to support compliance efforts at our fingertips. Other tasks for which Centene has used the Compliance 360 GRC System include the management of state contract compliance; corrective action plans; regulator, provider and consumer complaints; tracking regulatory reporting; maintaining policies and procedures; and

4 CASE STUDY: Centene Corporation tracking regulatory incidents. Yet, with all these critical needs addressed, Centene continues to broaden its use of Compliance 360. New applications are being found for the software, and the use of Compliance 360 is being expanded into new areas including accreditation and the management of quality improvement projects ( QIPs ). William Kruegel, Director, Compliance and Regulatory Affairs for Centene s New Jersey based University Health Plans (UHP), is particularly interested in unleashing the organizational power of Compliance 360 on the plan s quality improvement activities. These activities are currently managed based on a 45 page quality plan. Kruegel expects using Compliance 360 to track the various activities, which include highlighting operational components to meet HEDIS, NCQA and state contract requirements, will create significant operational efficiencies for the company. How Centene Reduces Its Compliance Risks When any healthcare organization looks at its compliance risk profile, it sees a variety of potential landmines. These risks are in some ways more substantial in the case of a Medicaid contractor like Centene: Like commercial health plans, Medicaid plans face risks of regulatory actions such as fines and other administrative penalties from health and insurance regulators. In Arizona, for example, under the state contract for acute care and long-term care services, the penalty for filing a report late is $5,000 for the first occurrence, and increases to $10,000 for the second late report, according to Nicole Larson, Director, Compliance, for Centene s Arizona based Bridgeway Health Solutions. With the state acting not only as regulator but also as the sole purchaser of Medicaid plans services, the plans run the additional risk of losing the contract entirely in the event of a pattern of non-compliance. Regulatory fines pale in comparison to this risk of a catastrophic loss of 100 percent of a plan s business in a state and the resulting damage to the organization s reputation. Karen Fain, Centene s Vice President, Internal Audit notes, If you meet or exceed state contract requirements, you have a good shot at renewal. If not, you can lose the entire deal. As a result of this risk, the top priority of Centene s compliance team, even above limiting the costs of its compliance programs, is the elimination of these risks of noncompliance. Ms. Fain, adds, Even if there were no cost savings, Compliance 360 would be worth it for the comfort level in knowing we re identifying and addressing non-compliance risks as they emerge. Kruegel came to the company in mid-2006. In his short tenure at UHP, he has become a power user of Compliance 360. A few of his comments about his experience go to the heart of the software s capacity to reduce the risk of non-compliance: We utilize Compliance 360 to assist us in tracking our compliance with the State Medicaid contract, which is over 250 pages long. The care management, prior authorization, network standards and other contract requirements are in most cases, more stringent than a commercial carrier would face, and the contract governs about 90% of our regulatory requirements. Compliance 360 is particularly helpful in identifying performance gaps and managing our remediation efforts to close those gaps. When I came on board, I saw several sanction letters from the state, often around failure to

CASE STUDY: Centene Corporation 5 notify, respond in a timely manner, or file regulatory reports. For example, in 2004, our plan had a fine and a corrective action plan ( CAP ) for the late filing of the New Jersey Department of Banking and Insurance Annual Supplement. In 2005, the company received a fine for failure to notify the Department of Human Services of a termination notice received from a network hospital. Since I arrived in 2006, however, and started using Compliance 360 to track these requirements, we haven t incurred a single administrative penalty of this type. Compliance 360 really is a helpful tool at audit time. When the regulators make a request for certain documents in the middle of an audit, I simply search on a key word or run an evidence room report, and all the documents I need to produce for the regulators are retrieved in seconds. So, not only can I produce these documents quickly, I can document the details of my response to the auditors while I am in the system. In a recent audit by our external quality review organization (EQRO), having Compliance 360 s capability to produce the correct versions of documents quickly and manage compliance activities was actually cited as a best practice by the auditors in their report. One significant risk to any regulated organization lies in its ability to respond to regulatory directives. Regulators are well known for looking more harshly on violations pointed out in previous examinations that haven t been fixed, compared to newly discovered problems. Therefore, when Texas insurance regulators told Centene s Texas affiliate, Superior Health Plan, that they believed Superior s complaint numbers were so low as to suggest poor complaint tracking, the company turned to Compliance 360 to make sure the corrective action plan was implemented quickly and effectively. Jamey Phillips, the Lead Complaint Coordinator for Superior, used Compliance 360 to assure that Superior had a comprehensive complaint system resulting in efficient logging, tracking, retention and resolution of complaints. The Compliance 360 GRC System enables the Complaint Unit to provide regulators and internal staff with periodic reports on those complaints. In the four months prior to implementation the tracking of consumer complaints, the average number of captured complaints identified was 36 per month; in the two months after implementation, the average number was 65, an 80 percent increase in Compliance 360 really is a helpful tool at audit time... In a recent audit by our external quality review organization (EQRO), having Compliance 360 s capability to produce the correct versions of documents quickly and manage compliance activities was actually cited as a best practice by the auditors in their report. William Kruegel, Director, Compliance and Regulatory Affairs for University Health Plans complaints. Similarly, the number of provider complaints captured per month tripled, from 4 to 12 complaints. Phillips reports that the use of Compliance 360 for complaint tracking not only has helped Superior respond to the regulators demand to centralize the complaint process, but also has improved compliance with the state s complaint record-keeping requirements. The 2007 state audit revealed a 15 percent rate of non-compliance with those requirements, while a recent re audit showed 100 percent compliance with the state record keeping rules. This is a perfect

6 CASE STUDY: Centene Corporation example of the flexibility of Compliance 360 to meet our compliance needs, states Miromonti. We identified a gap and were able to quickly configure the system to remediate it. Jan Larson, Director, Quality Improvement and Compliance for Managed Health Services, reports an even more dramatic improvement in compliance levels. Her estimate of policy and procedure compliance before the implementation of Compliance 360 at Managed Health Services - Wisconsin was as low as 15 percent. A recent audit revealed that this compliance level is now approximately 98 percent. When responding to regulators, the most significant risk comes up in the context of corrective action plans. Sara Neale, Centene s Director, Ethics and Compliance, described how Compliance 360 has helped: We had a routine administrative audit in Arizona that resulted in a corrective action plan. The state sent a Word document for us to use to track the action plan and report back to the state. The challenge for us was that there were simply too many supporting documents for us to do this effectively. With Compliance 360, we were able to organize and manage the volumes of documentation. To manage the internal process of implementing the CAP, we can sort and report by responsible parties and give each individual access to a report specific to him/her. Furthermore, we can provide instantaneous reporting and supporting documentation to the state whenever required. Now, Neale reports, three years later, when the company gets audited on these same requirements, it is easy to bring the reports up-to-date and respond quickly and thoroughly to the audit. A notable development in managed care in the past decade has been the increased use of contractors for the performance of delegated services. This has also expanded the management of risk, as the non-compliance of contractors with regulatory or contract requirements can be imputed to the health plan, particularly if there is inadequate delegation oversight. To address that risk, Kruegel says, we ve begun using Compliance 360 to monitor our contractor s reporting requirements and timeframes for deliverables. Through this oversight tracking mechanism, we now have a way to easily scorecard our contractors and ensure regulatory and contract compliance. The system made it amazingly easy for me to certify compliance to the federal regulators. Robert Miromonti Vice President of Ethics and Compliance As any state or federal health care contractor knows, there is an intimate relationship between some operational issues and contract compliance. When Centene experienced an operational break down at one of its subsidiaries, the Compliance 360 GRC System was used to assess performance and detect the root cause of the issue. Miromonti reports that when the corporate Compliance department got involved and looked at root causes, it became apparent that there was no adequate tracking mechanism. They worked with the subsidiary to develop a tracking mechanism that is now used company wide to reduce the risk of non compliance. Centene s experience shows that the risky world of whistle blowing can be made a bit less risky

CASE STUDY: Centene Corporation 7 with Compliance 360. Recently, according to Miromonti, an employee brought an allegation that Centene was not compliant with a state contract requirement. Rather than having to plow through reams of paper or rely on he said/she said debates, the compliance assessment capacity of Compliance 360 allowed a relatively easy resolution of the complaint. The health plan had documented the company s compliance with the provisions that were the subject of the dispute, corroborating Centene s claim that it was in full compliance with the provisions. All we needed to do was review the evidence documented in Compliance 360 and validate that we were following the established procedures said Miromonti. The speed of the resolution helped Centene prevent a potential regulatory sanction and proactively send a clear message of status in control to regulators. The real value of Compliance 360 to Centene in reducing regulatory risk was noted succinctly by Karen Fain, Centene s Vice President of Internal Audit; While our people are the primary solution to the problem of regulatory risk, Compliance 360 is the tool they use. What s telling is that we haven t had a material compliance failure since we ve started using Compliance 360 to manage state contract compliance. How Centene Proactively Identifies Compliance Issues Too often, regulators are the first to discover a company s compliance problems. At that point, it can be too late for the regulated company to do anything to avoid sanctions. The federal sentencing guidelines note that an effective compliance program has the ability to seek out and find areas of non-compliance within the company. While Centene had an internal audit process in place, Miromonti decided that it would be important to augment that process with a compliance dashboard that allowed him to see - in real-time - where each of the subsidiaries were in terms of compliance with the state contracts. Miromonti turned to the Compliance 360 GRC System for this capability. Bridgeway s Nicole Larson noted that the risk management dashboard system allows senior staff to check compliance levels at any time. The system does much more than track levels of compliance, though. Compliance 360 allows us to assign tasks, set up projects, and track deliverables such as reports we provide to the state, Larson noted. Miromonti reports that the reporting features afforded by the risk management dashboard are a lifesaver. The dashboard consolidates all the data, all the reports, he notes. When we went live with Compliance 360, we went to instantaneous report-running. Now we have unlimited access to the data and can drill down as deep as we need - there s no longer a need to chase paper at the subsidiaries, because we now have immediate access to the issues and supporting documentation. We can run reports by new risks identified, open risks and risk categories. Prior to Compliance 360, we spent a significant amount of time tracking and consolidating reports. What would take the department a day or two each month to complete now is instantaneous. We now spend that time working with the subsidiaries on remediation efforts. As Centene proactively develops new dimensions to its compliance dashboard, it continues to uncover and address new compliance risks. An example of this occurred as Neale worked with the claims department on its dashboard. In developing the dashboard, Sara noticed that the claims department had inadvertently set internal standards that were lower than those required by the state. As a result of catching this error early, Centene was able to align its internal

8 CASE STUDY: Centene Corporation standards with the state s requirements and avert a potential regulatory problem. How Centene Reduces Compliance Overhead Costs Compliance executives at Centene report an ever-expanding set of uses for Compliance 360. One of the early adopters in the company was Kruegel, who says he uses the software to track anything and everything. He uses Compliance 360 not only to manage policies and procedures, as do most of his colleagues in the other regions, but also to track all correspondence with any regulatory agency. Kruegel records each regulatory letter received, schedules any follow-up tasks that flow from the correspondence, what the required information is for the response, the due date, the person responsible for the response, and the date the actual response was submitted. Thus, Kruegel notes, he can monitor on a daily basis, the status of any response. He finds this particularly helpful when multiple departments are responsible for generating a response. Without Compliance 360, this task would be very difficult and time consuming, with a significant risk of disconnects and missed steps. This is not a small portion of his work - by the end of July, Kruegel s department alone had received over 620 communications in 2008 from state regulators. Kruegel estimates that using Compliance 360 eliminates 75 percent of the staff time this task would consume. Kruegel finds even more dramatic savings in the time it takes to manage the other functions under his responsibility. He reports savings of roughly: 95 percent of the time required to manage his company s policies and procedures; 70 percent of the time required to work on corrective action plans; 75 percent of the time required to plan each year s regulatory reports. Centene uses the Compliance 360 GRC System to assess its current status and its readiness to assume new business. Miromonti had previously completed HIPAA compliance assessments using a generic tool, a project that took three to four months from assessment to final report generation. He estimates that this task consumes less than a week when done on Compliance 360, a time savings of over 95 percent. In addition, Compliance 360 s reporting capabilities allow him to provide daily reports on the assessment if needed. Bridgeway s Nicole Larson routinely uses the system to assess Bridgeway s readiness for new contract amendments, assigning projects and due dates for those projects. One of the interesting things to note about using Compliance 360 on corrective action plans ( CAPs ) is that it allows the compliance department to involve colleagues in the functional units of the company in the execution of the CAP. Kruegel notes that before we started using Compliance 360, I was much more involved in the nitty-gritty of implementing the CAPs. Now, with Compliance 360 s superior tracking and communication capabilities, I can entrust implementation to the people in the various departments who should be doing it and still keep the implementation rolling along at the proper pace. As mentioned, above, managing regulatory reporting is another source of significant savings gained through the use of Compliance 360. Kruegel reports that the New Jersey plan alone must file 15 quarterly reports, 10 semiannual reports, and 54 annual reports, one of which involves the input of more than 20 people because it is a compilation of data across multiple

CASE STUDY: Centene Corporation 9 departments. His Arizona counterpart, Nicole Larson, estimates that she spends about 8 hours per month on regulatory reporting with Compliance 360, compared to her estimated 2-3 FTEs that were required without the software, a savings of roughly 98 percent for this task. The Compliance 360 GRC System has helped Centene manage its rapid growth across 17 states over the last few years. Rhonda Galaske, Centene s Manager, Operational Policy, reports that the number of Centene s policies and procedures, company-wide, have nearly tripled, from 1,543 in 2005 to 4,073 in 2008. Yet, even with that explosive growth, Galaske uses Compliance 360 to eliminate one month of an employee s time per quarter in the task of managing and reporting on their policies and procedures. Prior to the implementation of Compliance 360 all polices required a physical signature to approve the document. The original copy was kept at the subsidiary and a copy was sent to the corporate office for tracking purposes. Jan Larson, Director, Quality Improvement and Compliance for Centene s Wisconsin plan, Managed Health Services, reports that the easy reporting of the status of policies and procedures that Compliance 360 provides is good for reminding policy owners. Galaske reports that this element of the system has allowed Centene to turn the ownership of managing policies back over to the business units. This creates a sense of ownership and accountability with the people who actually use the policies on a day-to-day basis. This staff savings from the use of Compliance 360 extends to the regional plans, as well. Bridgeway s Nicole Larson spends less than 1 percent of her time managing the plan s 160 policies, and noted that it would take between one and two FTEs to do the same job without the help of Compliance 360. Regulators and external auditors periodically require organizations to submit attestations regarding corporate training. Historically, this has been a time-consuming and error-prone process for organizations like Centene. A couple of examples of Centene s use of Compliance 360 Accountability is increased by encouraging the development of a culture of timely updates to the compliance assessment system and transparency regarding the compliance challenges subsidiaries face. Robert Miromonti Vice President of Ethics and Compliance highlight the software s usefulness in performing this function: Code of Conduct. Centene must annually survey its employees (now numbering about 3,400) regarding its Code of Conduct. Employees must attest that they have read the code and disclose any compliance issues or potential conflicts of interest. The Compliance Department must verify that each employee has responded, and investigate any of the disclosed issues or conflicts. Compliance 360 provides the attestation verification automatically and employees that have issues requiring further investigation can be instantaneously identified through reporting. This process saves the Compliance Department two man-months per year by reducing the administrative process of tracking paper documents.

10 CASE STUDY: Centene Corporation HLOGA and LDA. Centene s Government Relations department needed to address a federal requirement to conduct widespread training on the Honest Leadership and Open Government Act of 2007 (HLOGA) and the Lobbying Disclosure Act (LDA). Miromonti and his staff used Compliance 360 s Survey Module to rollout training and test employee understanding of the requirements. The organization was able to educate 90 percent of the nearly 3,400 employees within a month. The system made it amazingly easy for me to certify compliance to the federal regulators, reports Miromonti. Furthermore, I was able to use the system to distribute and track subcertifications from all employees directly involved in lobbying activities. A theme that is consistent across all of Centene s executives is the value of Compliance 360 s real-time reporting. Centene s executives report substantial savings from this capability. The real-time reporting function of Compliance 360 is excellent, notes Jamey Phillips of Superior Health Plan, Instead of having to go through a spreadsheet and calculate data, the software generates a full report with virtually no effort. The system is very efficient, especially for monthly reports. Before Compliance 360 came into use, it took 15 hours to report both member and provider complaints; after Compliance 360, it takes only two hours. Beyond the staff time savings, Nicole Larson reports a heightened accountability that results from real-time, comprehensive reporting provided by Compliance 360. Everybody knows who is responsible for what tasks, and when those tasks are due, she notes. Miromonti sees this increased accountability at the corporate level, too, as the company-wide reporting rolls up to a monthly corporate executive report. Accountability is increased by encouraging the development of a culture of timely updates to the compliance assessment system and transparency regarding the compliance challenges subsidiaries face, he concludes.

USA Europe Australia Asia info.americas@saiglobal.com info.emea@saiglobal.com info.asiapac@saiglobal.com info.asiapac@saiglobal.com Plainsboro, NJ T: +1 (877) 470-SAIG [7244] F: +1 609 924 9207 Warwickshire, UK T: +44 (0) 1926 523149 F: +44 (0) 1926 523130 Sydney T: +61 2 8206 6060 F: +61 2 8206 6019 Jakarta T: +62 21 720 6460 Waltham, MA T: +1 781 891 9700 F: +1 781 891 9701 Melbourne T: +61 3 9278 1555 F: +61 3 9278 1556 Alpharetta, GA T: +1 678 992 0262 F: +1 678 992 0266 Perth T: +61 8 9444 2777 F: +61 8 9444 2477 Houston, TX T: +1 713 954 4970 F: +1 713 954 4980 About SAI Global Compliance SAI Global Compliance is the world leader in providing organizations with a wide range of governance, risk and compliance (GRC) products, services and technology that help build organizational integrity and effectively manage compliance risk. Our global staff includes professionals and subject matter specialists in advisory services; program design, management and implementation; instructional design; and software development. Our focus is to help establish and enhance compliance effectiveness. With well over a thousand organizations as clients and tens of millions of satisfied users around the world, we work with clients to integrate a flexible suite of solutions and services specifically tailored for a business and industry. Our products include the world s largest library of compliance and ethics learning, Code of Conduct advisory services and training, and the Compliance 360 GRC Software Suite to manage compliance, policy, incident and audit management. Our Cintellate EH&S Software addresses key issues in operational environmental health and safety management. For more information, please call us at the full service location nearest you or visit 2012 SAI Global Ltd. The SAI Global name and logo, the Cintellate name and ListenUp name are trademarks of SAI Global Ltd. Compliance 360 and Virtual Evidence Room are registered trademarks of Compliance 360, Inc., an SAI Global company. All Rights Reserved. CSCCBR1210a