§ 153.620 - Compliance with risk adjustment standards.  


Latest version.
  • § 153.620 Compliance with risk adjustment standards.

    (a) Issuer support of data validation. An issuer that offers risk adjustment covered plans must comply with any data validation requests by the State or HHS on behalf of the State.

    (b) Issuer records maintenance requirements. An issuer that offers risk adjustment covered plans must also maintain documents and records, whether paper, electronic, or in other media, sufficient to enable the evaluation of the issuer's compliance with applicable risk adjustment standards, for each benefit year for at least 10 years, and must make those documents and records available upon request to HHS, the OIG, the Comptroller General, or their designees, or in a State where the State is operating risk adjustment, the State or its designee to any such entity, for purposes of verification, investigation, audit or other review.

    (c) Audits and compliance reviews. HHS or its designee may audit or conduct a compliance review of an issuer of a risk adjustment covered plan to assess its compliance with respect to the applicable requirements of in this subpart and subpart H of this part. The issuer must ensure that its relevant contractors, subcontractors, or agents cooperate with any audit under this section. If an audit results in a finding of material weakness or significant deficiency with respect to compliance with any requirement of this subpart or subpart H of this part, the issuer must Compliance reviews conducted under this section will follow the standards set forth in § 156.715 of this subchapter.

    (1) Notice of audit. HHS will provide at least 30 calendar days advance notice of its intent to conduct an audit of an issuer of a risk adjustment covered plan.

    (i) Conferences. All audits will include an entrance conference at which the scope of the audit will be presented and an exit conference at which the initial audit findings will be discussed.

    (ii) [Reserved]

    (2) Compliance with audit activities. To comply with an audit under this section, the issuer must:

    (i) Ensure that its relevant employees, agents, contractors, subcontractors, downstream entities, and delegated entities cooperate with any audit or compliance review under this section;

    (ii) Submit complete and accurate data to HHS or its designees that is necessary to complete the audit, in the format and manner specified by HHS, no later than 30 calendar days after the initial audit response deadline established by HHS at the audit entrance conference described in paragraph (c)(1)(i) of this section for the applicable benefit year;

    (iii) Respond to all audit notices, letters, and inquiries, including requests for supplemental or supporting information, as requested by HHS, no later than 15 calendar days after the date of the notice, letter, request, or inquiry; and

    (iv) In circumstances in which an issuer cannot provide the requested data or response to HHS within the timeframes under paragraphs (c)(2)(ii) or (iii) of this section, as applicable, the issuer may make a written request for an extension to HHS. The extension request must be submitted within the timeframe established under paragraphs (c)(2)(ii) or (iii) of this section, as applicable, and must detail the reason for the extension request and the good cause in support of the request. If the extension is granted, the issuer must respond within the timeframe specified in HHS's notice granting the extension of time.

    (3) Preliminary audit findings. HHS will share its preliminary audit findings with the issuer, who will then have 30 calendar days to respond to such findings in the format and manner specified by HHS.

    (i) If the issuer does not dispute or otherwise respond to the preliminary findings, the audit findings will become final.

    (ii) If the issuer responds and disputes the preliminary findings, HHS will review and consider such response and finalize the audit findings after such review.

    (4) Final audit findings. If an audit results in the inclusion of a finding in the final audit report, the issuer must comply with the actions set forth in the final audit report in the manner and timeframe established by HHS, and the issuer must complete all of the following:

    (

    1

    i) Within

    30

    45 calendar days of the issuance of the final audit report, provide a written corrective action plan to HHS for approval.

    (

    2

    ii) Implement that plan.

    (

    3

    iii) Provide to HHS written documentation of the corrective actions once taken.

    (5) Failure to comply with audit activities. If an issuer fails to comply with the audit activities set forth in this subsection in the manner and timeframes specified by HHS:

    (i) HHS will notify the issuer of the risk adjustment (including high-cost risk pool) payments that the issuer has not adequately substantiated; and

    (ii) HHS will notify the issuer that HHS may recoup any risk adjustment (including high-cost risk pool) payments identified in paragraph (c)(5)(i) of this section.

    [77 FR 17245, Mar. 23, 2012, as amended at 78 FR 65095, Oct. 30, 2013; 79 FR 13836, Mar. 11, 2014; 86 FR 24287, May 5, 2021]