42 CFR 422.503 - General provisions.
(a)Basic rule. In order to qualify as an MA organization, enroll beneficiaries in any MA plans it offers, and be paid on behalf of Medicare beneficiaries enrolled in those plans, an MA organization must enter into a contract with CMS.
(b)Conditions necessary to contract as an MA organization. Any entity seeking to contract as an MA organization must:
(1) Complete an application as described in § 422.501.
(i) A policy making body that exercises oversight and control over the MA organization's policies and personnel to ensure that management actions are in the best interest of the organization and its enrollees.
(ii) Personnel and systems sufficient for the MA organization to organize, implement, control, and evaluate financial and marketing activities, the furnishing of services, the quality improvement program, and the administrative and management aspects of the organization.
(iii) At a minimum, an executive manager whose appointment and removal are under the control of the policy making body.
(iv) A fidelity bond or bonds, procured and maintained by the MA organization, in an amount fixed by its policymaking body but not less than $100,000 per individual, covering each officer and employee entrusted with the handling of its funds. The bond may have reasonable deductibles, based upon the financial strength of the MA organization.
(v) Insurance policies or other arrangements, secured and maintained by the MA organization and approved by CMS to insure the MA organization against losses arising from professional liability claims, fire, theft, fraud, embezzlement, and other casualty risks.
(vi) Adopt and implement an effective compliance program, which must include measures that prevent, detect, and correct non-compliance with CMS' program requirements as well as measures that prevent, detect, and correct fraud, waste, and abuse. The compliance program must, at a minimum, include the following core requirements:
(A) Written policies, procedures, and standards of conduct that -
(1) Articulate the organization's commitment to comply with all applicable Federal and State standards;
(2) Describe compliance expectations as embodied in the standards of conduct;
(3) Implement the operation of the compliance program;
(4) Provide guidance to employees and others on dealing with potential compliance issues;
(5) Identify how to communicate compliance issues to appropriate compliance personnel;
(6) Describe how potential compliance issues are investigated and resolved by the organization; and
(7) Include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials.
(B) The designation of a compliance officer and a compliance committee who report directly and are accountable to the organization's chief executive or other senior management.
(1) The compliance officer, vested with the day-to-day operations of the compliance program, must be an employee of the MA organization, parent organization or corporate affiliate. The compliance officer may not be an employee of the MA organization's first tier, downstream or related entity.
(2) The compliance officer and the compliance committee must periodically report directly to the governing body of the MA organization on the activities and status of the compliance program, including issues identified, investigated, and resolved by the compliance program.
(3) The governing body of the MA organization must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance programs.
(C)(1) Each MA organization must establish and implement effective training and education between the compliance officer and organization employees, the MA organization's chief executive or other senior administrator, managers and governing body members, and the MA organization's first tier, downstream, and related entities. Such training and education must occur at a minimum annually and must be made a part of the orientation for a new employee, new first tier, downstream and related entities, and new appointment to a chief executive, manager, or governing body member.
(2) First tier, downstream, and related entities who have met the fraud, waste, and abuse certification requirements through enrollment into the Medicare program are deemed to have met the training and educational requirements for fraud, waste, and abuse.
(3) An MA organization must require all of its first tier, downstream, and related entities to take the CMS training and accept the certificate of completion of the CMS training as satisfaction of this requirement. MA organizations are prohibited from developing and implementing their own training or providing supplemental training materials to fulfill this requirement.
(D) Establishment and implementation of effective lines of communication, ensuring confidentiality, between the compliance officer, members of the compliance committee, the MA organization's employees, managers and governing body, and the MA organization's first tier, downstream, and related entities. Such lines of communication must be accessible to all and allow compliance issues to be reported including a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified.
(E) Well-publicized disciplinary standards through the implementation of procedures which encourage good faith participation in the compliance program by all affected individuals. These standards must include policies that -
(1) Articulate expectations for reporting compliance issues and assist in their resolution,
(2) Identify noncompliance or unethical behavior; and
(3) Provide for timely, consistent, and effective enforcement of the standards when noncompliance or unethical behavior is determined.
(F) Establishment and implementation of an effective system for routine monitoring and identification of compliance risks. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the MA organization, including first tier entities', compliance with CMS requirements and the overall effectiveness of the compliance program.
(G) Establishment and implementation of procedures and a system for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of self-evaluations and audits, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensure ongoing compliance with CMS requirements.
(2) The MA organization must conduct appropriate corrective actions (for example, repayment of overpayments, disciplinary actions against responsible employees) in response to the potential violation referenced in paragraph (b)(4)(vi)(G)(1) of this section.
(i) During the 6-month period beginning on the date the organization notified CMS of the intention to non-renew the most recent previous contract, there was a change in the statute or regulations that had the effect of increasing MA payments in the payment area or areas at issue; or
(ii) CMS has otherwise determined that circumstances warrant special consideration.
(7) Not have terminated a contract by mutual consent under which, as a condition of the consent, the MA organization agreed that it was not eligible to apply for new contracts or service area expansions for a period of 2 years per § 422.508(c) of this subpart.
(c)Contracting authority. Under the authority of section 1857(c)(5) of the Act, CMS may enter into contracts under this part without regard to Federal and Departmental acquisition regulations set forth in title 48 of the CFR and provisions of law or other regulations relating to the making, performance, amendment, or modification of contracts of the United States if CMS determines that those provisions are inconsistent with the efficient and effective administration of the Medicare program.
(d)Protection against fraud and beneficiary protections.
(1) CMS annually audits the financial records (including data relating to Medicare utilization, costs, and computation of the bid) of at least one-third of the MA organizations offering MA plans. These auditing activities are subject to monitoring by the Comptroller General.
(i) Inspect or otherwise evaluate the quality, appropriateness, and timeliness of services performed under the MA contract;
(ii) Inspect or otherwise evaluate the facilities of the organization when there is reasonable evidence of some need for such inspection; and
(iii) Audit and inspect any books, contracts, and records of the MA organization that pertain to -
(A) The ability of the organization or its first tier or downstream providers to bear the risk of potential financial losses; or
(B) Services performed or determinations of amounts payable under the contract.
(iv) CMS may require that the MA organization hire an independent auditor to provide CMS with additional information to determine if deficiencies found during an audit or inspection have been corrected and are not likely to recur. The independent auditor must work in accordance with CMS specifications and must be willing to attest that a complete and full independent review has been performed.
(e)Severability of contracts. The contract must provide that, upon CMS's request -
(2) A separate contract for any such excluded plan or entity will be deemed to be in place when such a request is made.