The contract between the MA organization and CMS must contain the following provisions:
(a) Agreement to comply with regulations and instructions. The MA organization agrees to comply with all the applicable requirements and conditions set forth in this part and in general instructions. An MA organization's compliance with paragraphs (a)(1) through (a)(13) of this section is material to performance of the contract. The MA organization agrees--
(1) To accept new enrollments, make enrollments effective, process voluntary disenrollments, and limit involuntary disenrollments, as provided in subpart B of this part.
(2) That it will comply with the prohibition in Sec. 422.110 on discrimination in beneficiary enrollment.
(3) To provide--
(i) The basic benefits as required under Sec. 422.101 and, to the extent applicable, supplemental benefits under Sec. 422.102; and
(ii) Access to benefits as required under subpart C of this part;
(iii) In a manner consistent with professionally recognized standards of health care, all benefits covered by Medicare.
(4) To disclose information to beneficiaries in the manner and the form prescribed by CMS as required under Sec. 422.111;
(5) To operate a quality assurance and performance improvement program and have an agreement for external quality review as required under subpart D of this part;
(6) To comply with all applicable provider requirements in subpart E of this part, including provider certification requirements, anti-discrimination requirements, provider participation and consultation requirements, the prohibition on interference with provider advice, limits on provider indemnification, rules governing payments to providers, and limits on physician incentive plans;
(7) To comply with all requirements in subpart M of this part governing coverage determinations, grievances, and appeals;
(8) To comply with the reporting requirements in Sec. 422.516 and the requirements in Sec. 422.310 for submitting data to CMS;
(9) That it will be paid under the contract in accordance with the payment rules in subpart G of this part;
(10) To develop its annual bid, and submit all required information on premiums, benefits, and cost-sharing by not later than the first Monday in June, as provided in subpart F of this part;
(11) That its contract may not be renewed or may be terminated in accordance with this subpart and subpart N of this part.
(12) To comply with all requirements that are specific to a particular type of MA plan, such as the special rules for private fee-for-service plans in Secs. 422.114 and 422.216 and the MSA requirements in Secs. 422.56, 422.103, and 422.262; and
(13) To comply with the confidentiality and enrollee record accuracy requirements in Sec. 422.118.
(14) Maintain a fiscally sound operation by at least maintaining a positive net worth (total assets exceed total liabilities).
(15) Address complaints received by CMS against the MAO by--
(i) Addressing and resolving complaints in the CMS complaint tracking system.
(ii) Displaying a link to the electronic complaint form on the Medicare.gov Internet Web site on the MA plan's main Web page.
(16) An MA organization's compliance with paragraphs (a)(1) through (15) and (c) of this section is material to performance of the contract.
(17) To maintain administrative and management capabilities sufficient for the organization to organize, implement, and control the financial, marketing, benefit administration, and quality improvement activities related to the delivery of Part C services.
(18) To maintain a Part C summary plan rating score of at least 3 stars. A Part C summary plan rating is calculated by taking an average of a contract's Part C performance measure scores.
(b) Communication with CMS. The MA organization must have the capacity to communicate with CMS electronically.
(c) Prompt payment. The MA organization must comply with the prompt payment provisions of Sec. 422.520 and with instructions issued by CMS, as they apply to each type of plan included in the contract.
(d) Maintenance of records. The MA organization agrees to maintain for 10 years books, records, documents, and other evidence of accounting procedures and practices that--
(1) Are sufficient to do the following:
(i) Accommodate periodic auditing of the financial records (including data related to Medicare utilization, costs, and computation of the bid) of MA organizations.
(ii) Enable CMS to inspect or otherwise evaluate the quality, appropriateness and timeliness of services performed under the contract, and the facilities of the organization.
(iii) Enable CMS to audit and inspect any books and records of the MA organization that pertain to the ability of the organization to bear the risk of potential financial losses, or to services performed or determinations of amounts payable under the contract.
(iv) Properly reflect all direct and indirect costs claimed to have been incurred and used in the preparation of the bid proposal.
(v) Establish component rates of the bid for determining additional and supplementary benefits.
(vi) Determine the rates utilized in setting premiums for State insurance agency purposes and for other government and private purchasers; and
(2) Include at least records of the following:
(i) Ownership and operation of the MA organization's financial, medical, and other record keeping systems.
(ii) Financial statements for the current contract period and 10 prior periods.
(iii) Federal income tax or informational returns for the current contract period and 10 prior periods.
(iv) Asset acquisition, lease, sale, or other action.
(v) Agreements, contracts, and subcontracts.
(vi) Franchise, marketing, and management agreements.
(vii) Schedules of charges for the MA organization's fee-for-service patients.
(viii) Matters pertaining to costs of operations.
(ix) Amounts of income received by source and payment.
(x) Cash flow statements.
(xi) Any financial reports filed with other Federal programs or State authorities.
(e) Access to facilities and records. The MA organization agrees to the following:
(1) HHS, the Comptroller General, or their designee may evaluate, through inspection, audit, or other means--
(i) The quality, appropriateness, and timeliness of services furnished to Medicare enrollees under the contract;
(ii) Compliance with CMS requirements for maintaining the privacy and security of protected health information and other personally identifiable information of Medicare enrollees;
(iii) The facilities of the MA organization to include computer and other electronic systems; and
(iv) The enrollment and disenrollment records for the current contract period and 10 prior periods.
(2) HHS, the Comptroller General, or their designees may audit, evaluate, or inspect any books, contracts, medical records, patient care documentation, and other records of the MA organization, related entity, contractor, subcontractor, or its transferee that pertain to any aspect of services performed, reconciliation of benefit liabilities, and determination of amounts payable under the contract, or as the Secretary may deem necessary to enforce the contract.
(3) The MA organization agrees to make available, for the purposes specified in paragraph (d) of this section, its premises, physical facilities and equipment, records relating to its Medicare enrollees, and any additional relevant information that CMS may require.
(4) HHS, the Comptroller General, or their designee's right to inspect, evaluate, and audit extends through 10 years from the end of the final contract period or completion of audit, whichever is later unless--
(i) CMS determines there is a special need to retain a particular record or group of records for a longer period and notifies the MA organization at least 30 days before the normal disposition date;
(ii) There has been a termination, dispute, or allegation of fraud or similar fault by the MA organization, in which case the retention may be extended to 6 years from the date of any resulting final resolution of the termination, dispute, fraud, or similar fault; or
(iii) CMS determines that there is a reasonable possibility of fraud or similar fault, in which case CMS may inspect, evaluate, and audit the MA organization at any time.
(f) Disclosure of information. The MA organization agrees to submit--
(1) To CMS, certified financial information that must include the following:
(i) Such information as CMS may require demonstrating that the organization has a fiscally sound operation.
(ii) Such information as CMS may require pertaining to the disclosure of ownership and control of the MA organization.
(2) To CMS, all information that is necessary for CMS to administer and evaluate the program and to simultaneously establish and facilitate a process for current and prospective beneficiaries to exercise choice in obtaining Medicare services. This information includes, but is not limited to:
(i) The benefits covered under an MA plan;
(ii) The MA monthly basic beneficiary premium and MA monthly supplemental beneficiary premium, if any, for the plan or in the case of an MSA plan, the MA monthly MSA premium.
(iii) The service area and continuation area, if any, of each plan and the enrollment capacity of each plan;
(iv) Plan quality and performance indicators for the benefits under the plan including--
(A) Disenrollment rates for Medicare enrollees electing to receive benefits through the plan for the previous 2 years;
(B) Information on Medicare enrollee satisfaction;
(C) Information on health outcomes;
(D) The recent record regarding compliance of the plan with requirements of this part, as determined by CMS; and
(E) Other information determined by CMS to be necessary to assist beneficiaries in making an informed choice among MA plans and traditional Medicare;
(v) Information about beneficiary appeals and their disposition;
(vi) Information regarding all formal actions, reviews, findings, or other similar actions by States, other regulatory bodies, or any other certifying or accrediting organization;
(vii) To CMS, any other information deemed necessary by CMS for the administration or evaluation of the Medicare program.
(3) To its enrollees all informational requirements under Sec. 422.64 and, upon an enrollee's, request the financial disclosure information required under Sec. 422.516.
(g) Beneficiary financial protections. The MA organization agrees to comply with the following requirements:
(1) Effective January 1, 2010, each MA organization must adopt and maintain arrangements satisfactory to CMS to protect its enrollees from incurring liability (for example, as a result of an organization's insolvency or other financial difficulties) for payment of any fees that are the legal obligation of the MA organization. To meet this requirement, the MA organization must--
(i) Ensure that all contractual or other written arrangements with providers prohibit the organization's providers from holding any enrollee liable for payment of any such fees;
(ii) Indemnify the enrollee for payment of any fees that are the legal obligation of the MA organization for services furnished by providers that do not contract, or that have not otherwise entered into an agreement with the MA organization, to provide services to the organization's enrollees; and
(iii) For all MA organizations with enrollees eligible for both Medicare and Medicaid, specify in contracts with providers that such enrollees will not be held liable for Medicare Part A and B cost sharing when the State is responsible for paying such amounts, and inform providers of Medicare and Medicaid benefits, and rules for enrollees eligible for Medicare and Medicaid. The MA plans may not impose cost-sharing that exceeds the amount of cost-sharing that would be permitted with respect to the individual under title XIX if the individual were not enrolled in such a plan. The contracts must state that providers will--
(A) Accept the MA plan payment as payment in full, or
(B) Bill the appropriate State source.
(2) The MA organization must provide for continuation of enrollee health care benefits--
(i) For all enrollees, for the duration of the contract period for which CMS payments have been made; and
(ii) For enrollees who are hospitalized on the date its contract with CMS terminates, or, in the event of an insolvency, through discharge.
(3) In meeting the requirements of this paragraph, other than the provider contract requirements specified in paragraph (g)(1)(i) of this section, the MA organization may use--
(i) Contractual arrangements;
(ii) Insurance acceptable to CMS;
(iii) Financial reserves acceptable to CMS; or
(iv) Any other arrangement acceptable to CMS.
(h) Requirements of other laws and regulations. The MA organization agrees to comply with-
(1) Federal laws and regulations designed to prevent or ameliorate fraud, waste, and abuse, including, but not limited to, applicable provisions of Federal criminal law, the False Claims Act (31 U.S.C. 3729 et. seq.), and the anti-kickback statute (section 1128B(b)) of the Act); and
(2) HIPAA administrative simplification rules at 45 CFR parts 160, 162, and 164.
(i) MA organization relationship with first tier, downstream, and related entities. (1) Notwithstanding any relationship(s) that the MA organization may have with first tier, downstream, and related entities, the MA organization maintains ultimate responsibility for adhering to and otherwise fully complying with all terms and conditions of its contract with CMS.
(1) Notwithstanding any relationship(s) that the MA organization may have with first tier, downstream, and related entities, the MA organization maintains ultimate responsibility for adhering to and otherwise fully complying with all terms and conditions of its contract with CMS.
(2) The MA organization agrees to require all first tier, downstream, and related entities to agree that--
(i) HHS, the Comptroller General, or their designees have the right to audit, evaluate, collect, and inspect any books, contracts, computer or other electronic systems, including medical records and documentation of the first tier, downstream, and entities related to CMS' contract with the MA organization.
(ii) HHS, the Comptroller General, or their designees have the right to audit, evaluate, collect, and inspect any records under paragraph (i)(2)(i) of this section directly from any first tier, downstream, or related entity.
(iii) For records subject to review under paragraph (i)(2)(ii) of this section, except in exceptional circumstances, CMS will provide notification to the MA organization that a direct request for information has been initiated.
(iv) HHS', the Comptroller General's, or their designee's right to inspect, evaluate, and audit any pertinent information for any particular contract period will exist through 10 years from the final date of the contract period or from the date of completion of any audit, whichever is later.
(3) All contracts or written arrangements between MA organizations and first tier, downstream, and related entities must contain the following:
(i) Enrollee protection provisions that provide, consistent with paragraph (g)(1) of this section, arrangements that prohibit providers from holding an enrollee liable for payment of any fees that are the obligation of the MA organization.
(ii) Accountability provisions that indicate that the MA organization may only delegate activities or functions to a first tier, downstream, or related entity, in a manner consistent with the requirements set forth at paragraph (i)(4) of this section.
(iii) A provision requiring that any services or other activity performed by a first tier, downstream, and related entity in accordance with a contract are consistent and comply with the MA organization's contractual obligations.
(4) If any of the MA organizations' activities or responsibilities under its contract with CMS are delegated to other parties, the following requirements apply to any first tier, downstream and related entity:
(i) Each and every contract must specify delegated activities and reporting responsibilities.
(ii) Each and every contract must either provide for revocation of the delegation activities and reporting requirements or specify other remedies in instances where CMS or the MA organization determine that such parties have not performed satisfactorily.
(iii) Each and every contract must specify that the performance of the parties is monitored by the MA organization on an ongoing basis.
(iv) Each and every contract must specify that either--
(A) The credentials of medical professionals affiliated with the party or parties will be either reviewed by the MA organization; or
(B) The credentialing process will be reviewed and approved by the MA organization and the MA organization must audit the credentialing process on an ongoing basis.
(v) All contracts or written arrangements must specify that the related entity, contractor, or subcontractor must comply with all applicable Medicare laws, regulations, and CMS instructions.
(5) If the MA organization delegates selection of the providers, contractors, or subcontractor to another organization, the MA organization's contract with that organization must state that the CMS-contracting MA organization retains the right to approve, suspend, or terminate any such arrangement.
(j) Additional contract terms. The MA organization agrees to include in the contract such other terms and conditions as CMS may find necessary and appropriate in order to implement requirements in this part.
(k) Severability of contracts. The contract must provide that, upon CMS's request--
(1) The contract will be amended to exclude any MA plan or State-licensed entity specified by CMS; and
(2) A separate contract for any such excluded plan or entity will be deemed to be in place when such a request is made.
(l) Certification of data that determine payment. As a condition for receiving a monthly payment under subpart G of this part, the MA organization agrees that its chief executive officer (CEO), chief financial officer (CFO), or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must request payment under the contract on a document that certifies (based on best knowledge, information, and belief) the accuracy, completeness, and truthfulness of relevant data that CMS requests. Such data include specified enrollment information, encounter data, and other information that CMS may specify.
(1) The CEO, CFO, or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify that each enrollee for whom the organization is requesting payment is validly enrolled in an MA plan offered by the organization and the information relied upon by CMS in determining payment (based on best knowledge, information, and belief) is accurate, complete, and truthful.
(2) The CEO, CFO, or an individual delegated with the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify (based on best knowledge, information, and belief) that the data it submits under Sec. 422.310 are accurate, complete, and truthful.
(3) If such data are generated by a related entity, contractor, or subcontractor of an MA organization, such entity, contractor, or subcontractor must similarly certify (based on best knowledge, information, and belief) the accuracy, completeness, and truthfulness of the data.
(4) The CEO, CFO, or an individual delegated the authority to sign on behalf of one of these officers, and who reports directly to such officer, must certify (based on best knowledge, information, and belief) that the information in its bid submission is accurate, complete, and truthful and fully conforms to the requirements in Sec. 422.254.
(5) Certification of accuracy of data for overpayments. The CEO, CFO, or COO must certify (based on best knowledge, information, and belief) that the information provided for purposes of reporting and returning of overpayments under Sec. 422.326 is accurate, complete, and truthful.
(m)(1) CMS may determine that an MA organization is out of compliance with a Part C requirement when the organization fails to meet performance standards articulated in the Part C statutes, regulations, or guidance.
(1) CMS may determine that an MA organization is out of compliance with a Part C requirement when the organization fails to meet performance standards articulated in the Part C statutes, regulations, or guidance.
(2) If CMS has not already articulated a measure for determining noncompliance, CMS may determine that a MA organization is out of compliance when its performance in fulfilling Part C requirements represents an outlier relative to the performance of other MA organizations.
(n) Release of summary CMS payment data. The contract must provide that the MA organization acknowledges that CMS releases to the public summary reconciled CMS payment data after the reconciliation of Part C and Part D payments for the contract year as follows:
(1) For Part C, the following data--
(i) Average per member per month CMS payment amount for A/B (original Medicare) benefits for each MA plan offered, standardized to the 1.0 (average risk score) beneficiary.
(ii) Average per member per month CMS rebate payment amount for each MA plan offered (or, in the case of MSA plans, the monthly MSA deposit amount).
(iii) Average Part C risk score for each MA plan offered.
(iv) County level average per member per month CMS payment amount for each plan type in that county, weighted by enrollment and standardized to the 1.0 (average risk score) beneficiary in that county.
(2) For Part D plan sponsors, plan payment data in accordance with Sec. 423.505(o) of this subchapter.
(o) Business continuity. (1) The MA organization agrees to develop, maintain, and implement a business continuity plan containing policies and procedures to ensure the restoration of business operations following disruptions to business operations which would include natural or man-made disasters, system failures, emergencies, and other similar circumstances and the threat of such occurrences. To meet the requirement, the business continuity plan must, at a minimum, include the following:
(1) The MA organization agrees to develop, maintain, and implement a business continuity plan containing policies and procedures to ensure the restoration of business operations following disruptions to business operations which would include natural or man-made disasters, system failures, emergencies, and other similar circumstances and the threat of such occurrences. To meet the requirement, the business continuity plan must, at a minimum, include the following:
(i) Risk assessment. Identify threats and vulnerabilities that might affect business operations.
(ii) Mitigation strategy. Design strategies to mitigate hazards. Identify essential functions in addition to those specified in paragraph (o)(2) of this section and prioritize the order in which to restore all other functions to normal operations. At a minimum, each MA organization must do the following:
(A) Identify specific events that will activate the business continuity plan.
(B) Develop a contingency plan to maintain, during any business disruption, the availability and, as applicable, confidentiality of communication systems and essential records in all forms (including electronic and paper copies). The contingency plan must do the following:
(1) Ensure that during any business disruption the following systems will operate continuously or, should they fail, be restored to operational capacity on a timely basis:
(i) Information technology (IT) systems including those supporting claims processing at point of service.
(ii) Provider and enrollee communication systems including telephone, Web site, and email.
(2) With respect to electronic protected health information, comply with the contingency plan requirements of the Health Insurance Portability and Accountability Act of 1996 Security Regulations at 45 CFR parts 160 and 164, subparts A and C.
(C) Establish a chain of command.
(D) Establish a business communication plan that includes emergency capabilities and procedures to contact and communicate with the following:
(1) Employees.
(2) First tier, downstream, and related entities.
(3) Other third parties (including pharmacies, providers, suppliers, and government and emergency management officials).
(E) Establish employee and facility management plans to ensure that essential operations and job responsibilities can be assumed by other employees or moved to alternate sites as necessary.
(F) Establish a restoration plan including procedures to transition to normal operations.
(G) Comply with all applicable Federal, State, and local laws.
(iii) Testing and revision. On at least an annual basis, test and update the business operations continuity plan to ensure the following:
(A) That it can be implemented in emergency situations.
(B) That employees understand how it is to be executed.
(iv) Training. On at least an annual basis, educate appropriate employees about the business continuity plan and their own respective roles.
(v) Records. (A) Develop and maintain records documenting the elements of the business continuity plan described in paragraphs (o)(1)(i) through (iv) of this section.
(A) Develop and maintain records documenting the elements of the business continuity plan described in paragraphs (o)(1)(i) through (iv) of this section.
(B) Make the information specified in paragraph (o)(1)(v)(A) of this section available to CMS upon request.
(2) Restoration of essential functions. Every MA organization must plan to restore essential functions within 72 hours after any of the essential functions fail or otherwise stop functioning as usual. In addition to any essential functions that the MA organization identifies under paragraph (o)(1)(ii) of this section, for purposes of this paragraph (o)(2) of the section essential functions include, at a minimum, the following:
(i) Benefit authorization (if not waived) for services to be immediately furnished at a hospital, clinic, provider office, or other place of service.
(ii) Operation of call center customer services. [63 FR 35099, June 26, 1998; 63 FR 52614, Oct. 1, 1998]
Editorial Note: For Federal Register citations affecting Sec. 422.504, see the List of CFR Sections Affected, which appears in the Finding Aids section of the printed volume and at www.fdsys.gov.