42 CFR § 422.503 - General provisions.
(a) Basic rule. In order to qualify as an MA organization, enroll beneficiaries in any MA plans it offers, and be paid on behalf of Medicare beneficiaries enrolled in those plans, an MA organization must enter into a contract with CMS.
(b) Conditions necessary to contract as an MA organization. Any entity seeking to contract as an MA organization must:
(1) Complete an application as described in § 422.501.
(i) A policy making body that exercises oversight and control over the MA organization's policies and personnel to ensure that management actions are in the best interest of the organization and its enrollees.
(ii) Personnel and systems sufficient for the MA organization to organize, implement, control, and evaluate financial and communication activities, the furnishing of services, the quality improvement program, and the administrative and management aspects of the organization.
(iii) At a minimum, an executive manager whose appointment and removal are under the control of the policy making body.
(iv) A fidelity bond or bonds, procured and maintained by the MA organization, in an amount fixed by its policymaking body but not less than $100,000 per individual, covering each officer and employee entrusted with the handling of its funds. The bond may have reasonable deductibles, based upon the financial strength of the MA organization.
(v) Insurance policies or other arrangements, secured and maintained by the MA organization and approved by CMS to insure the MA organization against losses arising from professional liability claims, fire, theft, fraud, embezzlement, and other casualty risks.
(vi) Adopt and implement an effective compliance program, which must include measures that prevent, detect, and correct non-compliance with CMS' program requirements as well as measures that prevent, detect, and correct fraud, waste, and abuse. The compliance program must, at a minimum, include the following core requirements:
(A) Written policies, procedures, and standards of conduct that -
(1) Articulate the organization's commitment to comply with all applicable Federal and State standards;
(2) Describe compliance expectations as embodied in the standards of conduct;
(3) Implement the operation of the compliance program;
(4) Provide guidance to employees and others on dealing with potential compliance issues;
(5) Identify how to communicate compliance issues to appropriate compliance personnel;
(6) Describe how potential compliance issues are investigated and resolved by the organization; and
(7) Include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials.
(B) The designation of a compliance officer and a compliance committee who report directly and are accountable to the organization's chief executive or other senior management.
(1) The compliance officer, vested with the day-to-day operations of the compliance program, must be an employee of the MA organization, parent organization or corporate affiliate. The compliance officer may not be an employee of the MA organization's first tier, downstream or related entity.
(2) The compliance officer and the compliance committee must periodically report directly to the governing body of the MA organization on the activities and status of the compliance program, including issues identified, investigated, and resolved by the compliance program.
(3) The governing body of the MA organization must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance programs.
(C)(1) Each MA organization must establish and implement effective training and education for its compliance officer and organization employees, the MA organization's chief executive and other senior administrators, managers and governing body members.
(2) Such training and education must occur at a minimum annually and must be made a part of the orientation for a new employee and new appointment to a chief executive, manager, or governing body member.
(D) Establishment and implementation of effective lines of communication, ensuring confidentiality, between the compliance officer, members of the compliance committee, the MA organization's employees, managers and governing body, and the MA organization's first tier, downstream, and related entities. Such lines of communication must be accessible to all and allow compliance issues to be reported including a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified.
(E) Well-publicized disciplinary standards through the implementation of procedures which encourage good faith participation in the compliance program by all affected individuals. These standards must include policies that -
(1) Articulate expectations for reporting compliance issues and assist in their resolution,
(2) Identify noncompliance or unethical behavior; and
(3) Provide for timely, consistent, and effective enforcement of the standards when noncompliance or unethical behavior is determined.
(F) Establishment and implementation of an effective system for routine monitoring and identification of compliance risks. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the MA organization, including first tier entities', compliance with CMS requirements and the overall effectiveness of the compliance program.
(G) Establishment and implementation of procedures and a system for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of self-evaluations and audits, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensure ongoing compliance with CMS requirements.
(2) The MA organization must conduct appropriate corrective actions (for example, repayment of overpayments, disciplinary actions against responsible employees) in response to the potential violation referenced in paragraph (b)(4)(vi)(G)(1) of this section.
(4) The MA organization must have procedures to identify, and must report to CMS or its designee either of the following, in the manner described in paragraphs (b)(4)(vi)(G)(4) through (6) of this section:
(i) Any payment suspension implemented by a plan, pending investigation of credible allegations of fraud by a pharmacy, which must be implemented in the same manner as the Secretary does under section 1862(o)(1) of the Act.
(ii) Any information concerning investigations, credible evidence of suspicious activities of a provider of services (including a prescriber) or supplier, and other actions taken by the plan related to the inappropriate prescribing of opioids.
(5) The MA organization must submit data, as specified in this section, in the program integrity portal when reporting payment suspensions pending investigations of credible allegations of fraud by pharmacies; information related to the inappropriate prescribing of opioids and concerning investigations and credible evidence of suspicious activities of a provider of services (including a prescriber) or supplier, and other actions taken by the MA organization; or if the plan reports a referral, through the portal, of substantiated or suspicious activities of a provider of services (including a prescriber) or a supplier related to fraud, waste, or abuse to initiate or assist with investigations conducted by CMS, or its designee, a Medicare program integrity contractor, or law enforcement partners. The data categories, as applicable, include referral information and actions taken by the MA organization on the referral.
(6)(i) The MA organization is required to notify the Secretary, or its designee, of a payment suspension described in paragraph (b)(4)(vi)(G)(4)(i) of this section 7 days prior to implementation of the payment suspension. The MA organization may request an exception to the 7-day prior notification to the Secretary, or its designee, if circumstances warrant a reduced reporting time frame, such as potential beneficiary harm.
(ii) The MA organization is required to submit the information described in paragraph (b)(4)(vi)(G)(4)(ii) of this section no later than January 30, April 30, July 30, and October 30 of each year for the preceding periods, respectively, of October 1 through December 31, January 1 through March 31, April 1 through June 30, and July 1 through September 30. For the first reporting period (January 30, 2022), the reporting will reflect the data gathered and analyzed for the previous quarter in the calendar year (October 1-December 31).
(7)(i) CMS will provide MA organizations with data report(s) or links to the information described in paragraphs (b)(4)(vi)(G)(4)(i) and (ii) of this section no later than April 15, July 15, October 15, and January 15 of each year based on the information in the portal, respectively, as of the preceding October 1 through December 31, January 1 through March 31, April 1 through June 30, and July 1 through September 30.
(ii) Include administrative actions, pertinent information related to opioid overprescribing, and other data determined appropriate by the Secretary in consultation with stakeholders.
(iii) Are anonymized information submitted by plans without identifying the source of such information.
(iv) For the first quarterly report (April 15, 2022), that the report reflect the data gathered and analyzed for the previous quarter submitted by the plan sponsors on January 30, 2022.
(i) Not accept, or share a corporate parent organization owning a controlling interest in an entity that accepts, new enrollees under a section 1876 reasonable cost contract in any area in which it seeks to offer an MA plan.
(ii) Not accept, or be either the parent organization owning a controlling interest of or subsidiary of an entity that accepts, new enrollees under a section 1876 reasonable cost contract in any area in which it seeks to offer an MA plan.
(i) During the 6-month period beginning on the date the organization notified CMS of the intention to non-renew the most recent previous contract, there was a change in the statute or regulations that had the effect of increasing MA payments in the payment area or areas at issue; or
(ii) CMS has otherwise determined that circumstances warrant special consideration.
(7) Not have terminated a contract by mutual consent under which, as a condition of the consent, the MA organization agreed that it was not eligible to apply for new contracts or service area expansions for a period of 2 years per § 422.508(c) of this subpart.
(c) Contracting authority. Under the authority of section 1857(c)(5) of the Act, CMS may enter into contracts under this part without regard to Federal and Departmental acquisition regulations set forth in title 48 of the CFR and provisions of law or other regulations relating to the making, performance, amendment, or modification of contracts of the United States if CMS determines that those provisions are inconsistent with the efficient and effective administration of the Medicare program.
(d) Protection against fraud and beneficiary protections.
(1) CMS annually audits the financial records (including data relating to Medicare utilization, costs, and computation of the bid) of at least one-third of the MA organizations offering MA plans. These auditing activities are subject to monitoring by the Comptroller General.
(i) Inspect or otherwise evaluate the quality, appropriateness, and timeliness of services performed under the MA contract;
(ii) Inspect or otherwise evaluate the facilities of the organization when there is reasonable evidence of some need for such inspection; and
(iii) Audit and inspect any books, contracts, and records of the MA organization that pertain to -
(A) The ability of the organization or its first tier or downstream providers to bear the risk of potential financial losses; or
(B) Services performed or determinations of amounts payable under the contract.
(iv) CMS may require that the MA organization hire an independent auditor to provide CMS with additional information to determine if deficiencies found during an audit or inspection have been corrected and are not likely to recur. The independent auditor must work in accordance with CMS specifications and must be willing to attest that a complete and full independent review has been performed.
(e) Severability of contracts. The contract must provide that, upon CMS's request -
(2) A separate contract for any such excluded plan or entity will be deemed to be in place when such a request is made.