Compliance Review for Healthcare Proposals
We are frequently asked to review our client’s proposals for compliance with the request for proposal (RFP). It’s a detailed task – our reviewers have to look at every response and determine whether that response is compliant with requirements.
But what does compliant mean? A good working definition might be “adequately satisfies the requirements.” Even that, though, might not be particularly helpful in judging whether a particular part of a response is compliant.
The reference point for judging compliance is a compliance matrix. This matrix identifies the primary requirement – RFP question, scope of work requirement, contract requirement, or whatever the RFP asks you, as the bidder, to answer. It then cross references the primary requirement to all other related secondary requirements, including the contract, administrative regulations, statutes, and so on.
With the compliance matrix, you can read the response to a primary requirement, and decide whether that response is compliant. In practice, there are many factors that affect the decision. Consider the following basic levels of compliance:
- Acknowledgment: the response acknowledges the existence of the requirement (whether a primary or secondary requirement); you, as the bidder, agree to perform it.
- What: the response acknowledges the requirement, then says what you will do to satisfy the requirement. For example, a typical managed care RFP might ask you to provide a report of the percentage of claims paid within 30, 60, and 90 days. You agree to provide the report, then say you will use a reporting system and your regulatory reporting department to produce and submit the report.
- How: the response acknowledges the requirement; says what you will do to satisfy the requirement; and explains how the process works to produce the result. So, for the reporting example, you would acknowledge and agree to the requirement, mention the reporting system and reporting department, then delve into the details of what happens to produce the report. In this case, you might explain that (a) the data warehouse is refreshed from the claims system weekly; (b) a custom report, programmed in Crystal Reports (or some other similar system) runs against the data warehouse after the close of the reporting period; (c) the report is reviewed by claims managers and health plan executives to review its correctness; (d) errors are tracked, identified, and corrected, and the report is re-run if necessary; (e) the approved report is sent in electronic form to the designated client contact; (f) the regulatory reporting staff will respond to questions from the client about the report.
- Substantiation: This might appear at any of the above levels, and might be argued to not strictly be compliance-related. However, it states capability and experience: for example, that you run similar reports for 25 other clients every month in your current business, and adding this client will not be difficult.
- Performance: As with substantiation, this might not be strictly a compliance issue. A performance claim reduces the existing capability and experience to numbers: for example, that in the last year of running those reports for the 25 clients, 98.5 percent of the reports were delivered on time; 100 percent were delivered within three business days after the required due date; and 100 percent of the delivered reports were error-free.
The hard part is determining which of these elements (among many possible others, such as acceptability of the proposed “how” to the client) is necessary to achieve compliance.
In the sequence from the first element above (Acknowledgement) to the last (Performance), you build credibility for your solution. But a particular customer might not expect all of that detail in every answer. There might be other constraints, such as proposal page limits, that prevent you from providing it in the response. Other factors include:
- How much does the customer trust you already? Are you already an incumbent that is performing at or above required performance levels? Or are you a new entrant that has a well-known market reputation, and have you used every legitimate opportunity to build a working relationship with the customer prior to the release of the RFP?
- Has the customer ever heard of the solution you’re proposing? For example, one bidder proposed a system that had been used in several similar state contracts, but because it was a proprietary system not known to the customer, the customer rejected it.
- What is the relative complexity of the requirement? Complicated systems and processes require more explanation and substantiation to provide a convincing demonstration that you can comply.
- What is the relative importance of the requirement? If the customer considers the requirement mission-critical, they’ll want to be absolutely certain that whatever you propose will not fall apart in a real world situation.
So: compliance review is often a judgment call about whether the answer appears to provide a complete and coherent response to all of the primary and secondary requirement elements. It’s often better if the reviewers don’t know the answers to the questions about relationship, importance, and complexity; they can then make an unbiased decision about whether the response is compliant, and advise accordingly. But what is submitted might have to be more or less complete to win – depending on those answers.