HEDIS Compliance Audit Program 

The National Committee for Quality Assurance (NCQA) assumed responsibility for management of the evolution of the Healthcare Effectiveness Data and Information Set (HEDIS®) in 1992, with one clear goal - by devising a standardized set of performance measures that could be used by various constituencies to compare health plans, we could help drive quality improvement in the market. Since the release of HEDIS 2.0 in 1993, the demand for health plan performance data has grown dramatically. HEDIS has been embraced by employers, consumer organizations, state and federal regulators, consultants and health plans as the performance measurement tool of choice, and surveys indicate that almost 90 percent of all health plans collect and report at least some HEDIS data.

To encourage widespread reporting, NCQA has worked with a broad-based committee of experts to develop and improve HEDIS in order to make sure that it meets the information needs of all affected stakeholders - employers, consumers, regulators and health plans.

Although HEDIS itself has been widely praised as a meaningful and important tool for health plan assessment, there has been strong interest, from employers and others, in developing a means by which to validate data collected and reported by health plans. It is recognized that, despite the clear specifications defined in HEDIS, data collection and calculation methods employed by health plans may vary, and other errors may taint the results, diminishing the usefulness of HEDIS data for managed care organization (MCO) comparison. NCQA's analysis of HEDIS data collected as part of a national report card pilot project and the Quality Compass initiative, and experience with numerous state and local projects, confirms that these are justifiable concerns.

In order for HEDIS to reach its full potential, NCQA and others concluded that an independent audit of HEDIS collection and reporting processes, as well as an audit of the data which are manipulated by those processes, would be necessary in order to verify that HEDIS specifications are met. Purchasers, regulators and health plans have asked NCQA to develop a consistent audit methodology for use by all HEDIS auditors. In response, in 1995 NCQA convened the Audit Committee to develop such audit standards. The committee developed a precise, standardized methodology for verifying the integrity of HEDIS collection and calculation processes - the NCQA HEDIS Compliance Audit. It is a two-part program consisting of an overall information systems capabilities assessment (IS standards) followed by an evaluation of the MCO's ability to comply with HEDIS specifications (HD standards). NCQA-certified auditors using standard audit methodologies will help enable purchasers to make more reliable "apples-to-apples" comparisons between health plans.

The Audit Standards

The audit standards were designed to complement other verification activities that already occur within health plans. As a result, the standards do not address information audited by other organizations (e.g., financial/accounting firms or state regulatory agencies), or information based on narrative descriptions of programs that are addressed in the NCQA Accreditation Standards.

The NCQA HEDIS Compliance Audit indicates whether a managed care organization has adequate and sound capabilities for processing medical, member and provider information as a foundation for accurate and automated performance measurement, including HEDIS reporting. The Audit addresses the following functions in both the IS and HD categories:
  • information practices and control procedures
  • sampling methods and procedures
  • data integrity
  • compliance with HEDIS specifications
  • analytic file production
  • reporting and documentation
The audit is principally designed to verify the compliance of HEDIS production processes with specifications, not to establish the accuracy of HEDIS results. However, auditors will verify a sample of HEDIS measures to confirm that HEDIS results are based on accurate source information. The focus of the audit is on data management processes and algorithmic compliance (the translation of captured data into HEDIS statistics, according to the specifications defined by NCQA). Health plans may report additional information beyond the technical requirements of HEDIS. For example, plans may report comparisons to benchmarks, norms or past HEDIS performance (trended data). Validating the use of such external data, however, is beyond the scope of the NCQA HEDIS Compliance Audit, which focuses on the technical aspects of how HEDIS data are produced.

Information System Capabilities Standards

The first part of each HEDIS Compliance Audit consists of a review of a health plan's overall information systems capabilities. Relevant standards address the basic capabilities a managed care organization has in place for collecting, storing, analyzing and reporting health information. The managed care organization must have adequate capabilities for processing medical, member and provider information as a foundation for accurate HEDIS reporting. The plan must also demonstrate the adequacy of its procedures, where manual processes are used, including medical record review processes. In short, a managed care organization must demonstrate effective systems, information practices and control procedures for producing and using information in core business functions for auditors to have confidence in its HEDIS reporting.

Compliance with HEDIS Specifications Standards

The Standards and Guidelines for Assessing Specification Compliance assume that the auditor has completed the Information Systems Capabilities Assessment. Once the auditor has gained an understanding of the MCO information systems through this assessment, the auditor is able to design appropriate verification audit steps pertaining to specific HEDIS measures. In general, this section addresses compliance with conventional reporting practices and HEDIS specifications for the following domains:
  • Effectiveness of Care
  • Access/Availability of Care
  • Experience of Care
  • Utilization and Risk Adjusted Utilization
  • Relative Resource Use
  • Health Plan Descriptive Information
  • Measures Collected Using Electronic Clinical Data Systems
Indicators of the managed care organization's financial and business position are audited by state regulators as well, and differ based on the requirements mandated by each state. These standards do not attempt to duplicate audit efforts and increase audit burden; rather, they attempt to cover measures that are generally not reviewed by others.

Audit Results

The final report of an audit gives results of Reportable (rate or count), NA (denominator less than 30), NB (benefit not offered), NR (not reported), NQ (not required to report), BR (biased rate) or UN (un-audited) for each measure in the set reviewed in the audit. These results are defined as follows:

Reportable. A reportable rate was submitted for the measure.

Small Denominator. The organization followed the specifications, but the denominator was too small (<30) to report a valid rate.

No Benefit. The organization did not offer the health benefit required by the measure (e.g., mental health, chemical dependency)

Not Reported. The organization chose not to report the measure.

Not Required. The organization was not required to report the measure.

Biased Rate. The calculated rate was materially biased.

Un-Audited. The organization chose to report a measure that is not required to be audited. This result applies to only a limited set of measures.

Certification Examination, Licensure, and Monitoring

Certification of individual auditors and licensing of qualified organizations will help verify that standard auditing methodologies are used during all NCQA HEDIS Compliance Audits.

NCQA developed a qualifying exam with an external vendor who has expertise in test development and delivery. They also assisted NCQA in creating and scoring the Certified HEDIS Compliance Auditor (CHCA) exams to accurately measure the skills, knowledge and abilities needed. Individuals must pass before being designated an NCQA-Certified HEDIS Compliance Auditor. The exam consists, in part, of an audit of a hypothetical health plan’s HEDIS processes against NCQA’s standards. (For more information on becoming a CHCA and the exam schedule, click here.)

To maintain certification, auditors must lead two audits every year, obtain 6 hours of continuing education credits (approved by the Measure Validation team), attend the Auditor Update Conference annually and adhere to the Code of Professional Conduct. Re-certification is required every year. (To view the CHCA Approved Continuing Education list, click here.) 

NCQA also licenses organizations to conduct HEDIS Compliance Audits. Individuals taking the Certification Exam must be employed by or contract with an NCQA-Licensed Organization. NCQA also monitors the quality of audit work through ongoing assessments of audit performances by auditors and licensed organizations.
NCQA's HEDIS Compliance Audit Standards provide a national standard for auditing health plans' HEDIS collection and reporting processes, thus allowing for accurate, reliable data for comparisons of performance between plans. This will encourage value-based purchasing which will, in turn, allow health plans to compete based on quality and value, rather than on cost.