42 CFR § 422.504 - Contract provisions.
(a) Agreement to comply with regulations and instructions. The MA organization agrees to comply with all the applicable requirements and conditions set forth in this part and in general instructions. Compliance with the terms of this paragraph (a) is material to the performance of the MA contract. The MA organization agrees -
(1) To accept new enrollments, make enrollments effective, process voluntary disenrollments, and limit involuntary disenrollments, as provided in subpart B of this part.
(3) To provide -
(5) To operate a quality assurance and performance improvement program and have an agreement for external quality review as required under subpart D of this part;
(6) To comply with all applicable provider and supplier requirements in subpart E of this part, including provider certification requirements, anti-discrimination requirements, provider participation and consultation requirements, the prohibition on interference with provider advice, limits on provider indemnification, rules governing payments to providers, limits on physician incentive plans, and the preclusion list requirements in §§ 422.222 and 422.224.
(7) To comply with all requirements in subpart M of this part governing coverage determinations, grievances, and appeals;
(11) That its contract may not be renewed or may be terminated in accordance with this subpart and subpart N of this part.
(12) To comply with all requirements that are specific to a particular type of MA plan, such as the special rules for private fee-for-service plans in §§ 422.114 and 422.216 and the MSA requirements in §§ 422.56, 422.103, and 422.262; and
(13) To comply with the confidentiality and enrollee record accuracy requirements in § 422.118.
(14) Maintain a fiscally sound operation by at least maintaining a positive net worth (total assets exceed total liabilities).
(16) To maintain administrative and management capabilities sufficient for the organization to organize, implement, and control the financial, marketing, benefit administration, and quality improvement activities related to the delivery of Part C services.
(17) To maintain a Part C summary plan rating score of at least 3 stars under the 5-star rating system specified in subpart D of this part. A Part C summary plan rating is calculated as provided in § 422.166.
(d) Maintenance of records. The MA organization agrees to maintain for 10 years books, records, documents, and other evidence of accounting procedures and practices that -
(1) Are sufficient to do the following:
(i) Accommodate periodic auditing of the financial records (including data related to Medicare utilization, costs, and computation of the bid) of MA organizations.
(ii) Enable CMS to inspect or otherwise evaluate the quality, appropriateness and timeliness of services performed under the contract, and the facilities of the organization.
(iii) Enable CMS to audit and inspect any books and records of the MA organization that pertain to the ability of the organization to bear the risk of potential financial losses, or to services performed or determinations of amounts payable under the contract.
(iv) Properly reflect all direct and indirect costs claimed to have been incurred and used in the preparation of the bid proposal.
(vi) Determine the rates utilized in setting premiums for State insurance agency purposes and for other government and private purchasers; and
(2) Include at least records of the following:
(i) Ownership and operation of the MA organization's financial, medical, and other record keeping systems.
(ii) Financial statements for the current contract period and 10 prior periods.
(iii) Federal income tax or informational returns for the current contract period and 10 prior periods.
(iv) Asset acquisition, lease, sale, or other action.
(v) Agreements, contracts, and subcontracts.
(vi) Franchise, marketing, and management agreements.
(vii) Schedules of charges for the MA organization's fee-for-service patients.
(viii) Matters pertaining to costs of operations.
(ix) Amounts of income received by source and payment.
(x) Cash flow statements.
(xi) Any financial reports filed with other Federal programs or State authorities.
(e) Access to facilities and records. The MA organization agrees to the following:
(1) HHS, the Comptroller General, or their designee may evaluate, through inspection, audit, or other means -
(i) The quality, appropriateness, and timeliness of services furnished to Medicare enrollees under the contract;
(ii) Compliance with CMS requirements for maintaining the privacy and security of protected health information and other personally identifiable information of Medicare enrollees;
(iii) The facilities of the MA organization to include computer and other electronic systems; and
(iv) The enrollment and disenrollment records for the current contract period and 10 prior periods.
(2) HHS, the Comptroller General, or their designees may audit, evaluate, or inspect any books, contracts, medical records, patient care documentation, and other records of the MA organization, related entity, contractor, subcontractor, or its transferee that pertain to any aspect of services performed, reconciliation of benefit liabilities, and determination of amounts payable under the contract, or as the Secretary may deem necessary to enforce the contract.
(3) The MA organization agrees to make available, for the purposes specified in paragraph (d) of this section, its premises, physical facilities and equipment, records relating to its Medicare enrollees, and any additional relevant information that CMS may require.
(4) HHS, the Comptroller General, or their designee's right to inspect, evaluate, and audit extends through 10 years from the end of the final contract period or completion of audit, whichever is later unless -
(ii) There has been a termination, dispute, or allegation of fraud or similar fault by the MA organization, in which case the retention may be extended to 6 years from the date of any resulting final resolution of the termination, dispute, fraud, or similar fault; or
(f) Disclosure of information. The MA organization agrees to submit -
(1) To CMS, certified financial information that must include the following:
(2) To CMS, all information that is necessary for CMS to administer and evaluate the program and to simultaneously establish and facilitate a process for current and prospective beneficiaries to exercise choice in obtaining Medicare services. This information includes, but is not limited to:
(iv) Plan quality and performance indicators for the benefits under the plan including -
(A) Disenrollment rates for Medicare enrollees electing to receive benefits through the plan for the previous 2 years;
(B) Information on Medicare enrollee satisfaction;
(C) Information on health outcomes;
(D) The recent record regarding compliance of the plan with requirements of this part, as determined by CMS; and
(v) Information about beneficiary appeals and their disposition;
(vi) Information regarding all formal actions, reviews, findings, or other similar actions by States, other regulatory bodies, or any other certifying or accrediting organization;
(g) Beneficiary financial protections. The MA organization agrees to comply with the following requirements:
(1) Effective January 1, 2010, each MA organization must adopt and maintain arrangements satisfactory to CMS to protect its enrollees from incurring liability (for example, as a result of an organization's insolvency or other financial difficulties) for payment of any fees that are the legal obligation of the MA organization. To meet this requirement, the MA organization must -
(ii) Indemnify the enrollee for payment of any fees that are the legal obligation of the MA organization for services furnished by providers that do not contract, or that have not otherwise entered into an agreement with the MA organization, to provide services to the organization's enrollees; and
(iii) For all MA organizations with enrollees eligible for both Medicare and Medicaid, specify in contracts with providers that such enrollees will not be held liable for Medicare Part A and B cost sharing when the State is responsible for paying such amounts, and inform providers of Medicare and Medicaid benefits, and rules for enrollees eligible for Medicare and Medicaid. The MA plans may not impose cost-sharing that exceeds the amount of cost-sharing that would be permitted with respect to the individual under title XIX if the individual were not enrolled in such a plan. The contracts must state that providers will -
(B) Bill the appropriate State source.
(iv) Ensure that the enrollee does not have any financial liability for services, items, or drugs furnished, ordered, or prescribed to the enrollee by an MA contracted individual or entity on the preclusion list, as defined in § 422.2 and as described in § 422.222.
(A) The provider will no longer be eligible for payment from the plan and will be prohibited from pursuing payment from the beneficiary as stipulated by the terms of the contract between CMS and the plan per § 422.504(g)(1)(iv); and
(B) The provider will hold financial liability for services, items, and drugs that are furnished, ordered, or prescribed after this 60-day period, at which point the provider and the beneficiary will have already received notification of the preclusion.
(ii) For enrollees who are hospitalized on the date its contract with CMS terminates, or, in the event of an insolvency, through discharge.
(i) Contractual arrangements;
(ii) Insurance acceptable to CMS;
(iii) Financial reserves acceptable to CMS; or
(h) Requirements of other laws and regulations. The MA organization agrees to comply with-
(1) Federal laws and regulations designed to prevent or ameliorate fraud, waste, and abuse, including, but not limited to, applicable provisions of Federal criminal law, the False Claims Act (31 U.S.C. 3729 et. seq.), and the anti-kickback statute (section 1128B(b)) of the Act); and
(i) MA organization relationship with first tier, downstream, and related entities.
(1) Notwithstanding any relationship(s) that the MA organization may have with first tier, downstream, and related entities, the MA organization maintains ultimate responsibility for adhering to and otherwise fully complying with all terms and conditions of its contract with CMS.
(2) The MA organization agrees to require all first tier, downstream, and related entities to agree that -
(i) HHS, the Comptroller General, or their designees have the right to audit, evaluate, collect, and inspect any books, contracts, computer or other electronic systems, including medical records and documentation of the first tier, downstream, and entities related to CMS' contract with the MA organization.
(ii) HHS, the Comptroller General, or their designees have the right to audit, evaluate, collect, and inspect any records under paragraph (i)(2)(i) of this section directly from any first tier, downstream, or related entity.
(iii) For records subject to review under paragraph (i)(2)(ii) of this section, except in exceptional circumstances, CMS will provide notification to the MA organization that a direct request for information has been initiated.
(iv) HHS', the Comptroller General's, or their designee's right to inspect, evaluate, and audit any pertinent information for any particular contract period will exist through 10 years from the final date of the contract period or from the date of completion of any audit, whichever is later.
(i) Enrollee protection provisions that provide, consistent with paragraph (g)(1) of this section, arrangements that prohibit providers from holding an enrollee liable for payment of any fees that are the obligation of the MA organization.
(ii) Accountability provisions that indicate that the MA organization may only delegate activities or functions to a first tier, downstream, or related entity, in a manner consistent with the requirements set forth at paragraph (i)(4) of this section.
(iii) A provision requiring that any services or other activity performed by a first tier, downstream, and related entity in accordance with a contract are consistent and comply with the MA organization's contractual obligations.
(4) If any of the MA organizations' activities or responsibilities under its contract with CMS are delegated to other parties, the following requirements apply to any first tier, downstream and related entity:
(i) Each and every contract must specify delegated activities and reporting responsibilities.
(ii) Each and every contract must either provide for revocation of the delegation activities and reporting requirements or specify other remedies in instances where CMS or the MA organization determine that such parties have not performed satisfactorily.
(iii) Each and every contract must specify that the performance of the parties is monitored by the MA organization on an ongoing basis.
(iv) Each and every contract must specify that either -
(A) The credentials of medical professionals affiliated with the party or parties will be either reviewed by the MA organization; or
(5) If the MA organization delegates selection of the providers, contractors, or subcontractor to another organization, the MA organization's contract with that organization must state that the CMS-contracting MA organization retains the right to approve, suspend, or terminate any such arrangement.
(j) Additional contract terms. The MA organization agrees to include in the contract such other terms and conditions as CMS may find necessary and appropriate in order to implement requirements in this part.
(k) Severability of contracts. The contract must provide that, upon CMS's request -
(2) A separate contract for any such excluded plan or entity will be deemed to be in place when such a request is made.
(l) Certification of data that determine payment. As a condition for receiving a monthly payment under subpart G of this part, the MA organization agrees that its chief executive officer (CEO), chief financial officer (CFO), or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must request payment under the contract on a document that certifies (based on best knowledge, information, and belief) the accuracy, completeness, and truthfulness of relevant data that CMS requests. Such data include specified enrollment information, encounter data, and other information that CMS may specify.
(1) The CEO, CFO, or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify that each enrollee for whom the organization is requesting payment is validly enrolled in an MA plan offered by the organization and the information relied upon by CMS in determining payment (based on best knowledge, information, and belief) is accurate, complete, and truthful.
(2) The CEO, CFO, or an individual delegated with the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify (based on best knowledge, information, and belief) that the data it submits under § 422.310 are accurate, complete, and truthful.
(3) If such data are generated by a related entity, contractor, or subcontractor of an MA organization, such entity, contractor, or subcontractor must similarly certify (based on best knowledge, information, and belief) the accuracy, completeness, and truthfulness of the data.
(4) The CEO, CFO, or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify (based on best knowledge, information, and belief) that the information in its bid submission is accurate, complete, and truthful and fully conforms to the requirements in § 422.254.
(5) Certification of accuracy of data for overpayments. The CEO, CFO, or COO must certify (based on best knowledge, information, and belief) that the information provided for purposes of reporting and returning of overpayments under § 422.326 is accurate, complete, and truthful.
(m) Issuance of compliance actions for failure to comply with the terms of the contract. The MA organization acknowledges that CMS may take compliance actions as described in this section or intermediate sanctions as defined in subpart O of this part.
(1) CMS may take compliance actions as described in paragraph (m)(3) of this section if it determines that the MA organization has not complied with the terms of a current or prior Part C contract with CMS.
(i) CMS may determine that an MA organization is out of compliance with a Part C requirement when the organization fails to meet performance standards articulated in the Part C statutes, regulations in this chapter, or guidance.
(ii) If CMS has not already articulated a measure for determining noncompliance, CMS may determine that an MA organization is out of compliance when its performance in fulfilling Part C requirements represents an outlier relative to the performance of other MA organizations.
(2) CMS bases its decision on whether to issue a compliance action and what level of compliance action to take on an assessment of the circumstances surrounding the noncompliance, including all of the following:
(i) The nature of the conduct.
(ii) The degree of culpability of the MA organization.
(iii) The adverse effect to beneficiaries which resulted or could have resulted from the conduct of the MA organization.
(iv) The history of prior offenses by the MA organization or its related entities.
(v) Whether the noncompliance was self-reported.
(vi) Other factors which relate to the impact of the underlying noncompliance or the lack of the MA organization's oversight of its operations that contributed to the noncompliance.
(3) CMS may take one of three types of compliance actions based on the nature of the noncompliance.
(i) Notice of noncompliance. A notice of noncompliance may be issued for any failure to comply with the requirements of the MA organization's current or prior Part C contract with CMS, as described in paragraph (m)(1) of this section.
(ii) Warning letter. A warning letter may be issued for serious and/or continued noncompliance with the requirements of the MA organization's current or prior Part C contract with CMS, as described in paragraph (m)(1) of this section and as assessed in accordance with paragraph (m)(2) of this section.
(iii) Corrective action plan.
(A) Corrective action plans are requested for particularly serious or continued noncompliance with the requirements of the MA organization's current or prior Part C contract with CMS, as described in paragraph (m)(1) of this section and as assessed in accordance with paragraph (m)(2) of this section.
(B) CMS issues a corrective action plan if CMS determines that the MA organization has repeated or not corrected noncompliance identified in prior compliance actions, has substantially impacted beneficiaries or the program with its noncompliance, or must implement a detailed plan to correct the underlying causes of the noncompliance.
(n) Acknowledgements of CMS release of data -
(1) Summary CMS payment data. The contract must provide that the MA organization acknowledges that CMS releases to the public summary reconciled CMS payment data after the reconciliation of Part C and Part D payments for the contract year as follows:
(i) For Part C, the following data -
(C) Average Part C risk score for each MA plan offered.
(o) Business continuity.
(1) The MA organization agrees to develop, maintain, and implement a business continuity plan containing policies and procedures to ensure the restoration of business operations following disruptions to business operations which would include natural or man-made disasters, system failures, emergencies, and other similar circumstances and the threat of such occurrences. To meet the requirement, the business continuity plan must, at a minimum, include the following:
(i) Risk assessment. Identify threats and vulnerabilities that might affect business operations.
(ii) Mitigation strategy. Design strategies to mitigate hazards. Identify essential functions in addition to those specified in paragraph (o)(2) of this section and prioritize the order in which to restore all other functions to normal operations. At a minimum, each MA organization must do the following:
(A) Identify specific events that will activate the business continuity plan.
(B) Develop a contingency plan to maintain, during any business disruption, the availability and, as applicable, confidentiality of communication systems and essential records in all forms (including electronic and paper copies). The contingency plan must do the following:
(1) Ensure that during any business disruption the following systems will operate continuously or, should they fail, be restored to operational capacity on a timely basis:
(i) Information technology (IT) systems including those supporting claims processing at point of service.
(ii) Provider and enrollee communication systems including telephone, Web site, and email.
(2) With respect to electronic protected health information, comply with the contingency plan requirements of the Health Insurance Portability and Accountability Act of 1996 Security Regulations at 45 CFR parts 160 and 164, subparts A and C.
(C) Establish a chain of command.
(D) Establish a business communication plan that includes emergency capabilities and procedures to contact and communicate with the following:
(2) First tier, downstream, and related entities.
(3) Other third parties (including pharmacies, providers, suppliers, and government and emergency management officials).
(E) Establish employee and facility management plans to ensure that essential operations and job responsibilities can be assumed by other employees or moved to alternate sites as necessary.
(F) Establish a restoration plan including procedures to transition to normal operations.
(G) Comply with all applicable Federal, State, and local laws.
(iii) Testing and revision. On at least an annual basis, test and update the business operations continuity plan to ensure the following:
(A) That it can be implemented in emergency situations.
(B) That employees understand how it is to be executed.
(iv) Training. On at least an annual basis, educate appropriate employees about the business continuity plan and their own respective roles.
(A) Develop and maintain records documenting the elements of the business continuity plan described in paragraphs (o)(1)(i) through (iv) of this section.
(2) Restoration of essential functions. Every MA organization must plan to restore essential functions within 72 hours after any of the essential functions fail or otherwise stop functioning as usual. In addition to any essential functions that the MA organization identifies under paragraph (o)(1)(ii) of this section, for purposes of this paragraph (o)(2) of the section essential functions include, at a minimum, the following:
(ii) Operation of call center customer services.