42 C.F.R. § 422.503
(b) Conditions necessary to contract as an MA organization. Any entity seeking to contract as an MA organization must:
(4) Have administrative and management arrangements satisfactory to CMS, as demonstrated by at least the following:
(vi) Adopt and implement an effective compliance program, which must include measures that prevent, detect, and correct non-compliance with CMS' program requirements as well as measures that prevent, detect, and correct fraud, waste, and abuse. The compliance program must, at a minimum, include the following core requirements:
(A) Written policies, procedures, and standards of conduct that—
(1) Articulate the organization's commitment to comply with all applicable Federal and State standards;
(2) Describe compliance expectations as embodied in the standards of conduct;
(3) Implement the operation of the compliance program;
(4) Provide guidance to employees and others on dealing with potential compliance issues;
(5) Identify how to communicate compliance issues to appropriate compliance personnel;
(6) Describe how potential compliance issues are investigated and resolved by the organization; and
(7) Include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials.
(B) The designation of a compliance officer and a compliance committee who report directly and are accountable to the organization's chief executive or other senior management.
(1) The compliance officer, vested with the day-to-day operations of the compliance program, must be an employee of the MA organization, parent organization or corporate affiliate. The compliance officer may not be an employee of the MA organization's first tier, downstream or related entity.
(2) The compliance officer and the compliance committee must periodically report directly to the governing body of the MA organization on the activities and status of the compliance program, including issues identified, investigated, and resolved by the compliance program.
(3) The governing body of the MA organization must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance programs.
(C) (1) Each MA organization must establish and implement effective training and education for its compliance officer and organization employees, the MA organization's chief executive and other senior administrators, managers and governing body members.
(2) Such training and education must occur at a minimum annually and must be made a part of the orientation for a new employee and new appointment to a chief executive, manager, or governing body member.
(E) Well-publicized disciplinary standards through the implementation of procedures which encourage good faith participation in the compliance program by all affected individuals. These standards must include policies that—
(1) Articulate expectations for reporting compliance issues and assist in their resolution,
(2) Identify noncompliance or unethical behavior; and
(3) Provide for timely, consistent, and effective enforcement of the standards when noncompliance or unethical behavior is determined.
(G) Establishment and implementation of procedures and a system for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of self-evaluations and audits, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensure ongoing compliance with CMS requirements.
(1) If the MA organization discovers evidence of misconduct related to payment or delivery of items or services under the contract, it must conduct a timely, reasonable inquiry into that conduct.
(2) The MA organization must conduct appropriate corrective actions (for example, repayment of overpayments, disciplinary actions against responsible employees) in response to the potential violation referenced in paragraph (b)(4)(vi)(G)(1) of this section.
(3) The MA organization should have procedures to voluntarily self-report potential fraud or misconduct related to the MA program to CMS or its designee.
(4) The MA organization must have procedures to identify, and must report to CMS or its designee either of the following, in the manner described in paragraphs (b)(4)(vi)(G)(4) through (6) of this section:
(i) Any payment suspension implemented by a plan, pending investigation of credible allegations of fraud by a pharmacy, which must be implemented in the same manner as the Secretary does under section 1862(o)(1) of the Act.
(ii) Any information concerning investigations, credible evidence of suspicious activities of a provider of services (including a prescriber) or supplier, and other actions taken by the plan related to the inappropriate prescribing of opioids.
(5) The MA organization must submit data, as specified in this section, in the program integrity portal when reporting payment suspensions pending investigations of credible allegations of fraud by pharmacies; information related to the inappropriate prescribing of opioids and concerning investigations and credible evidence of suspicious activities of a provider of services (including a prescriber) or supplier, and other actions taken by the MA organization; or if the plan reports a referral, through the portal, of substantiated or suspicious activities of a provider of services (including a prescriber) or a supplier related to fraud, waste, or abuse to initiate or assist with investigations conducted by CMS, or its designee, a Medicare program integrity contractor, or law enforcement partners. The data categories, as applicable, include referral information and actions taken by the MA organization on the referral.
(6)(i) The MA organization is required to notify the Secretary, or its designee, of a payment suspension described in paragraph (b)(4)(vi)(G)(4)(i) of this section 7 days prior to implementation of the payment suspension. The MA organization may request an exception to the 7-day prior notification to the Secretary, or its designee, if circumstances warrant a reduced reporting time frame, such as potential beneficiary harm.
(ii) The MA organization is required to submit the information described in paragraph (b)(4)(vi)(G)(4)(ii) of this section no later than January 30, April 30, July 30, and October 30 of each year for the preceding periods, respectively, of October 1 through December 31, January 1 through March 31, April 1 through June 30, and July 1 through September 30. For the first reporting period (January 30, 2022), the reporting will reflect the data gathered and analyzed for the previous quarter in the calendar year (October 1-December 31).
(7)(i) CMS will provide MA organizations with data report(s) or links to the information described in paragraphs (b)(4)(vi)(G)(4)(i) and (ii) of this section no later than April 15, July 15, October 15, and January 15 of each year based on the information in the portal, respectively, as of the preceding October 1 through December 31, January 1 through March 31, April 1 through June 30, and July 1 through September 30.
(ii) Include administrative actions, pertinent information related to opioid overprescribing, and other data determined appropriate by the Secretary in consultation with stakeholders.
(iii) Are anonymized information submitted by plans without identifying the source of such information.
(iv) For the first quarterly report (April 15, 2022), that the report reflect the data gathered and analyzed for the previous quarter submitted by the plan sponsors on January 30, 2022.
(5) Not accept new enrollees under a section 1876 reasonable cost contract in any area in which it seeks to offer an MA plan.
(6) The MA organization's contract must not have been non-renewed under § 422.506 within the past 2 years unless—
(d) Protection against fraud and beneficiary protections.
(2) Each contract under this section must provide that CMS, or any person or organization designated by CMS has the right to:
(iii) Audit and inspect any books, contracts, and records of the MA organization that pertain to—
(e) Severability of contracts. The contract must provide that, upon CMS's request—
[63 FR 35099, June 26, 1998, as amended at 65 FR 40327, June 29, 2000. Redesignated at 70 FR 4736, Jan. 28, 2005, and amended at 70 FR 4737, Jan. 28, 2005; 70 FR 52027, Sept. 1, 2005; 70 FR 76198, Dec. 23, 2005; 72 FR 68722, Dec. 5, 2007; 75 FR 19809, Apr. 15, 2010; 79 FR 29958, May 23, 2014; 80 FR 7960, Feb. 12, 2015; 83 FR 16733, Apr. 16, 2018; 86 FR 6099, Jan. 19, 2021; 87 FR 27896, May 9, 2022; 88 FR 22334, Apr. 12, 2023; 89 FR 30824, Apr. 23, 2024]