HEDIS Compliance Audit™

NCQA licenses organizations and certifies individuals affiliated with licensed organizations to conduct audits using NCQA's standardized audit methodology. Auditors use the first half of the audit, the overall IS review, to identify data areas to focus on during the second half of the review (HEDIS® Compliance Standards). This allows for customization of each audit depending on the individual health plan's strengths and weaknesses. The audit adds a higher degree of integrity to HEDIS data, and enables organizations to provide consumers and purchasers with consistent and comparable HEDIS results.

For more information on the HEDIS Compliance Audit Program, click here.

For more information on becoming a Certified HEDIS Compliance Auditor (CHCA) and the exam schedule, click here.

The Compliance Audit Program 

The National Committee for Quality Assurance (NCQA) assumed responsibility for management of the evolution of the Healthcare Effectiveness Data and Information Set (HEDIS®) in 1992, with one clear goal - by devising a standardized set of performance measures that could be used by various constituencies to compare health plans, we could help drive quality improvement in the market. Since the release of HEDIS 2.0 in 1993, the demand for health plan performance data has grown dramatically. HEDIS has been embraced by employers, consumer organizations, state and federal regulators, consultants and health plans as the performance measurement tool of choice, and surveys indicate that almost 90 percent of all health plans collect and report at least some HEDIS data.

To encourage widespread reporting, NCQA worked with a broad-based committee of experts to develop and improve HEDIS in order to make sure that it meets the information needs of all affected stakeholders - employers, consumers, regulators and health plans. 

Although HEDIS itself has been widely praised as a meaningful and important tool for health plan assessment, there has been strong interest, from employers and others, in developing a means by which to validate data collected and reported by health plans. It is recognized that, despite the clear specifications defined in HEDIS, data collection and calculation methods employed by health plans may vary, and other errors may taint the results, diminishing the usefulness of HEDIS data for health plan comparison. NCQA's analysis of HEDIS data collected for use in Accreditation, Quality Compass and other NCQA programs, and experience with numerous state and local projects, confirms that these are justifiable concerns. 

Purchasers, regulators and health plans asked NCQA to develop a consistent audit methodology for use by all HEDIS auditors. In response, in 1995 NCQA convened the Audit Committee to develop such audit standards. The committee developed a precise, standardized methodology for verifying the integrity of HEDIS collection and calculation processes - the NCQA HEDIS Compliance Audit. It is a two-part program consisting of an overall information systems capabilities assessment (IS standards) followed by an evaluation of the health plan's ability to comply with HEDIS specifications (HD standards). NCQA-certified auditors, using standard audit methodologies, will help enable purchasers to make more reliable "apples-to-apples" comparisons between health plans. 

The Audit Standards

The audit standards were designed to complement other verification activities that already occurred within health plans. As a result, the standards do not address information audited by other organizations (e.g., financial/accounting firms or state regulatory agencies), or information based on narrative descriptions of programs that are addressed in the NCQA Accreditation Standards. 

The NCQA HEDIS Compliance Audit indicates whether a health plan has adequate and sound capabilities for processing medical, member and provider information as a foundation for accurate and automated performance measurement, including HEDIS reporting. The Audit addresses the following functions in both the IS and HD categories:

  • information practices and control procedures
  • sampling methods and procedures
  • data integrity
  • compliance with HEDIS specifications
  • analytic file production
  • reporting and documentation 

The HEDIS audit is principally designed to verify the compliance of HEDIS production processes with technical specifications, to establish the accuracy of HEDIS results. The focus of the audit is on data management processes and algorithmic compliance (the translation of captured data into HEDIS statistics, according to the specifications defined by NCQA). Health plans may report additional information beyond the technical requirements of HEDIS. For example, plans may report comparisons to benchmarks, norms or past HEDIS performance (trended data). Validating the use of such external data, however, is beyond the scope of the NCQA HEDIS Compliance Audit, which focuses on the technical aspects of how HEDIS data are produced. 

Information System Capabilities Standards

The first part of each HEDIS Compliance Audit consists of a review of a health plan's overall information systems capabilities. Relevant standards address the basic capabilities a health plan has in place for collecting, storing, analyzing and reporting health information. The health plan must have adequate capabilities for processing medical, member and provider information as a foundation for accurate HEDIS reporting. The plan must also demonstrate the adequacy of its procedures, where manual processes are used, including medical record review processes. In short, a health plan must demonstrate effective systems, information practices and control procedures for producing and using information in core business functions for auditors to have confidence in its HEDIS reporting.

Compliance with HEDIS Specifications Standards

The Standards and Guidelines for Assessing Specification Compliance assume that the auditor has completed the Information Systems Capabilities Assessment. Once the auditor has gained an understanding of the health plan’s information systems through this assessment, the auditor is able to design appropriate verification audit steps pertaining to specific HEDIS measures. In general, this section addresses compliance with conventional reporting practices and HEDIS specifications for the following domains:

  • Effectiveness of Care
  • Access/Availability of Care
  • Experience of Care
  • Utilization and Risk Adjusted Utilization
  • Relative Resource Use (measures are suspended).
  • Health Plan Descriptive Information
  • Measures Collected Using Electronic Clinical Data Systems

Audit Results

The final report of an audit gives results of Reportable (rate or count), NA (denominator less than 30), NB (benefit not offered), NR (not reported), NQ (not required to report), BR (biased rate) or UN (un-audited) for each measure in the set reviewed in the audit. These results are defined as follows: 

Reportable. A reportable rate was submitted for the measure.

Small Denominator. The organization followed the specifications, but the denominator was too small (<30) to report a valid rate.

a. For EOC and EOC-like measures, when the denominator is <30; and for HAI, when Total Inpatient Discharges is <30.

b. For utilization measures that count member months, when the denominator is <360-member months.

c. For all risk-adjusted utilization measures, except PCR, when the denominator is <150.

No Benefit. The organization did not offer the health benefit required by the measure (e.g., mental health, chemical dependency)

Not Reported. The organization chose not to report the measure.

Not Required. The organization was not required to report the measure.

Biased Rate. The calculated rate was materially biased.

Un-Audited. The organization chose to report a measure that is not required to be audited. This result applies to only a limited set of measures (e.g., ECDS, Board Certification). 

Certification Examination, Licensure, and Monitoring

Certification of individual auditors and licensing of qualified organizations will help verify that standard auditing methodologies are used during all NCQA HEDIS Compliance Audits.

NCQA developed a qualifying exam with an external vendor who has expertise in test development and delivery. They also assisted NCQA in creating and scoring the Certified HEDIS Compliance Auditor (CHCA) exams to accurately measure the skills, knowledge and abilities needed. Individuals must pass before being designated an NCQA-Certified HEDIS Compliance Auditor. The exam consists, in part, of an audit of a hypothetical health plan’s HEDIS processes against NCQA’s standards. (For more information on becoming a CHCA and the exam schedule, click here.)

To maintain certification, auditors must lead two audits every year, obtain 6 hours of continuing education credits (approved by the Measure Validation team), attend the Auditor Update Conference annually and adhere to the Code of Professional Conduct. Re-certification is required every year. (To view the CHCA Approved Continuing Education list, click here.) 

NCQA also licenses organizations to conduct HEDIS Compliance Audits. Individuals taking the Certification Exam must be employed by or contract with an NCQA-Licensed Organization. NCQA also monitors the quality of audit work through ongoing assessments of audit performances by auditors and licensed organizations.

NCQA's HEDIS Compliance Audit Standards provide a national standard for auditing health plans' HEDIS collection and reporting processes, thus allowing for accurate, reliable data for comparisons of performance between plans. This will encourage value-based purchasing which will, in turn, allow health plans to compete based on quality and value, rather than on cost.

Certification Review and Examination Schedule

The next CHCA exam review and session will be held on December 10 and 11, 2018, at the NCQA Washington, DC office. 

Overview of Certification Review and Examination: On day one, NCQA conducts a half day review of the HEDIS Compliance Audit program and methodologies. The agenda of the review includes: program overview, examination structure and strategies, audit preparation, audit methodologies for information systems and HEDIS determination, audit reporting, and ethical standards. On the morning of the second day, the Certification Examination is administered. The exam consists of both conceptual and applied questions on HEDIS compliance audits. The total time of the examination is four hours.

Fee: The combined fee for the Application, Certification Review Session, Examination (two attempts), HEDIS manuals, and one-year Certification Fee is $6,000. A participant is allowed two opportunities to participate in the Certification Review and Examination before the $6,000 is forfeited.

Certification: Upon receiving a passing score on the Certification Examination, the participant receives the designation of Certified HEDIS Compliance Auditor (CHCA). The certification is valid for one-year, upon agreement with all contractual requirements for maintaining certification. At the end of the one-year period, a certified auditor can renew certification following NCQA approval and a re-certification fee of $2,100.

Please submit any questions into our Policy Clarification Support (PCS) system http://my.ncqa.org. Questions should be submitted to 'HEDIS Audit' in the Product/Program Type drop-down box.