(a) Data requirements. An issuer that offers risk adjustment covered plans must submit or make accessible all required risk adjustment data for those risk adjustment covered plans in accordance with the risk adjustment data collection approach established by the State, or by HHS on behalf of the State.

(b) Risk adjustment data storage. An issuer that offers risk adjustment covered plans must store all required risk adjustment data in accordance with the risk adjustment data collection approach established by the State, or by HHS on behalf of the State.

(c) Issuer contracts. An issuer that offers risk adjustment covered plans may include in its contract with a provider, supplier, physician, or other practitioner, provisions that require such contractor's submission of complete and accurate risk adjustment data in the manner and timeframe established by the State, or HHS on behalf of the State. These provisions may include financial penalties for failure to submit complete, timely, or accurate data.

(d) Assessment of charges. An issuer that offers risk adjustment covered plans that has a net balance of risk adjustment charges payable, including adjustments made pursuant to § 153.350(c), will be notified by the State, or by HHS on behalf of the State, of those net charges, and must remit those risk adjustment charges to the State, or to HHS on behalf of the State, as applicable.

(e) Charge submission deadline. An issuer must remit net charges to the State, or HHS on behalf of the State, within 30 days of notification of net charges payable by the State, or HHS on behalf of the State.

(f) Assessment and collection of user fees for HHS risk adjustment operations. Where HHS is operating risk adjustment on behalf of a State, an issuer of a risk adjustment covered plan (other than a student health plan or a plan not subject to 45 CFR 147.102, 147.104, 147.106, 156.80, and subpart B of part 156) must, for each benefit year—

(1) Submit or make accessible to HHS its monthly enrollment for the risk adjustment covered plan for the benefit year through the risk adjustment data collection approach established at § 153.610(a), in a manner and timeframe specified by HHS; and

(2) Remit to HHS an amount equal to the product of its monthly billable enrollment in the risk adjustment covered plan multiplied by the per-enrollee-per-month risk adjustment user fee specified in the annual HHS notice of benefit and payment parameters for the applicable benefit year.

[77 FR 17248, Mar. 23, 2012, as amended at 78 FR 15531, Mar. 11, 2013; 81 FR 94174, Dec. 22, 2016]

Link to an amendment published at 89 FR 26419, Apr. 15, 2024.

(a) Issuer support of data validation. An issuer that offers risk adjustment covered plans must comply with any data validation requests by the State or HHS on behalf of the State.

(b) Issuer records maintenance requirements. An issuer that offers risk adjustment covered plans must also maintain documents and records, whether paper, electronic, or in other media, sufficient to enable the evaluation of the issuer's compliance with applicable risk adjustment standards, for each benefit year for at least 10 years, and must make those documents and records available upon request to HHS, the OIG, the Comptroller General, or their designees, or in a State where the State is operating risk adjustment, the State or its designee to any such entity, for purposes of verification, investigation, audit or other review.

(c) Audits and compliance reviews. HHS or its designee may audit or conduct a compliance review of an issuer of a risk adjustment covered plan to assess its compliance with respect to the applicable requirements in this subpart and subpart H of this part. Compliance reviews conducted under this section will follow the standards set forth in § 156.715 of this subchapter.

(1) Notice of audit. HHS will provide at least 30 calendar days advance notice of its intent to conduct an audit of an issuer of a risk adjustment covered plan.

(i) Conferences. All audits will include an entrance conference at which the scope of the audit will be presented and an exit conference at which the initial audit findings will be discussed.

(ii) [Reserved]

(2) Compliance with audit activities. To comply with an audit under this section, the issuer must:

(i) Ensure that its relevant employees, agents, contractors, subcontractors, downstream entities, and delegated entities cooperate with any audit or compliance review under this section;

(ii) Submit complete and accurate data to HHS or its designees that is necessary to complete the audit, in the format and manner specified by HHS, no later than 30 calendar days after the initial audit response deadline established by HHS at the audit entrance conference described in paragraph (c)(1)(i) of this section for the applicable benefit year;

(iii) Respond to all audit notices, letters, and inquiries, including requests for supplemental or supporting information, as requested by HHS, no later than 15 calendar days after the date of the notice, letter, request, or inquiry; and

(iv) In circumstances in which an issuer cannot provide the requested data or response to HHS within the timeframes under paragraphs (c)(2)(ii) or (iii) of this section, as applicable, the issuer may make a written request for an extension to HHS. The extension request must be submitted within the timeframe established under paragraphs (c)(2)(ii) or (iii) of this section, as applicable, and must detail the reason for the extension request and the good cause in support of the request. If the extension is granted, the issuer must respond within the timeframe specified in HHS's notice granting the extension of time.

(3) Preliminary audit findings. HHS will share its preliminary audit findings with the issuer, who will then have 30 calendar days to respond to such findings in the format and manner specified by HHS.

(i) If the issuer does not dispute or otherwise respond to the preliminary findings, the audit findings will become final.

(ii) If the issuer responds and disputes the preliminary findings, HHS will review and consider such response and finalize the audit findings after such review.

(4) Final audit findings. If an audit results in the inclusion of a finding in the final audit report, the issuer must comply with the actions set forth in the final audit report in the manner and timeframe established by HHS, and the issuer must complete all of the following:

(i) Within 45 calendar days of the issuance of the final audit report, provide a written corrective action plan to HHS for approval.

(ii) Implement that plan.

(iii) Provide to HHS written documentation of the corrective actions once taken.

(5) Failure to comply with audit activities. If an issuer fails to comply with the audit activities set forth in this subsection in the manner and timeframes specified by HHS:

(i) HHS will notify the issuer of the risk adjustment (including high-cost risk pool) payments that the issuer has not adequately substantiated; and

(ii) HHS will notify the issuer that HHS may recoup any risk adjustment (including high-cost risk pool) payments identified in paragraph (c)(5)(i) of this section.

[77 FR 17245, Mar. 23, 2012, as amended at 78 FR 65095, Oct. 30, 2013; 79 FR 13836, Mar. 11, 2014; 86 FR 24287, May 5, 2021]

(a) General requirement. An issuer of a risk adjustment covered plan in a State where HHS is operating risk adjustment on behalf of the State for the applicable benefit year must have an initial and second validation audit performed on its risk adjustment data as described in this section.

(b) Initial validation audit. (1) An issuer of a risk adjustment covered plan must engage one or more independent auditors to perform an initial validation audit of a sample of its risk adjustment data selected by HHS. The issuer must provide HHS with the identity of the initial validation auditor, and must attest to the absence of conflicts of interest between the initial validation auditor (or the members of its audit team, owners, directors, officers, or employees) and the issuer (or its owners, directors, officers, or employees), to its knowledge, following reasonable investigation, and must attest that it has obtained an equivalent representation from the initial validation auditor, in a timeframe and manner to be specified by HHS.

(2) The issuer must ensure that the initial validation auditors are reasonably capable of performing an initial data validation audit according to the standards established by HHS for such audit, and must ensure that the audit is so performed.

(3) The issuer must ensure that each initial validation auditor is reasonably free of conflicts of interest, such that it is able to conduct the initial validation audit in an impartial manner and its impartiality is not reasonably open to question.

(4) The issuer must ensure validation of the accuracy of risk adjustment data for a sample of enrollees selected by HHS. The issuer must ensure that the initial validation audit findings are submitted to HHS in a manner and timeframe specified by HHS.

(5) An initial validation audit must be conducted by medical coders certified as such and in good standing by a nationally recognized accrediting agency.

(6) An issuer must provide the initial validation auditor and the second validation auditor with all relevant source enrollment documentation, all claims and encounter data, and medical record documentation from providers of services to each enrollee in the applicable sample without unreasonable delay and in a manner that reasonably assures confidentiality and security in transmission. Notwithstanding any other provision of this section, a qualified provider that is licensed to diagnose mental illness by the State and that is prohibited from furnishing a complete medical record by applicable State privacy laws concerning any enrollee's treatment for one or more mental or behavioral health conditions may furnish a signed mental or behavioral health assessment that, to the extent permissible under applicable Federal and State privacy laws, should contain: The enrollee's name; sex; date of birth; current status of all mental or behavioral health diagnoses; and dates of service. The mental or behavioral health assessment should be signed by the provider and submitted with an attestation that the provider is prohibited from furnishing a complete medical record by applicable State privacy laws.

(7) The risk score of each enrollee in the sample must be validated by—

(i) Validating the enrollee's enrollment data and demographic data in a manner to be determined by HHS.

(ii) Validating enrollee health status through review of all relevant medical record documentation. Medical record documentation must originate from the provider of the services and align with dates of service for the medical diagnoses, and reflect permitted providers and services. For purposes of this section, “medical record documentation” means clinical documentation of hospital inpatient or outpatient treatment or professional medical treatment from which enrollee health status is documented and related to accepted risk adjustment services that occurred during a specified period of time. Medical record documentation must be generated under a face-to-face or telehealth visit documented and authenticated by a permitted provider of services;

(iii) Beginning in the 2018 benefit year, validating enrollee health status through review of all relevant paid pharmacy claims;

(iv) Validating medical records according to industry standards for coding and reporting; and

(v) Having a senior reviewer confirm any enrollee risk adjustment error discovered during the initial validation audit. For purposes of this section, a “senior reviewer” is a reviewer certified as a medical coder by a nationally recognized accrediting agency who possesses at least 5 years of experience in medical coding. However, for validation of risk adjustment data for the 2014 and 2015 benefit years, a senior reviewer may possess 3 or more years of experience.

(8) The initial validation auditor must measure and report to the issuer and HHS, in a manner and timeframe specified by HHS, its inter-rater reliability rates among its reviewers. The initial validation auditor must achieve a consistency measure of at least 95 percent for his or her review outcomes, except that for validation of risk adjustment data for the 2015 and 2016 benefit years, the initial validation auditor may meet an inter-rater reliability standard of 85 percent for review outcomes.

(9) HHS may impose civil money penalties in accordance with the procedures set forth in § 156.805(b) through (e) of this subchapter if an issuer of a risk adjustment covered plan—

(i) Fails to engage an initial validation auditor;

(ii) Fails to submit the results of an initial validation audit to HHS;

(iii) Engages in misconduct or substantial non-compliance with the risk adjustment data validation standards and requirements applicable to issuers of risk adjustment covered plans; or

(iv) Intentionally or recklessly misrepresents or falsifies information that it furnishes to HHS.

(10) If an issuer of a risk adjustment covered plan fails to engage an initial validation auditor or to submit the results of an initial validation audit to HHS, HHS will impose a default data validation charge.

(c) Second validation audit. HHS will select a subsample of the risk adjustment data validated by the initial validation audit for a second validation audit. The issuer must comply with, and must ensure the initial validation auditor complies with, standards for such audit established by HHS, and must cooperate with, and must ensure that the initial validation auditor cooperates with, HHS and the second validation auditor in connection with such audit.

(d) Risk adjustment data validation disputes and appeals. (1) Within 15 calendar days of notification of the initial validation audit sample determined by HHS, in the manner set forth by HHS, an issuer must confirm the sample or file a discrepancy report to dispute the initial validation audit sample determined by HHS.

(2) Within 15 calendar days of the notification of the findings of a second validation audit (if applicable) by HHS, in the manner set forth by HHS, an issuer must confirm the findings of the second validation audit (if applicable), or file a discrepancy report to dispute the findings of a second validation audit (if applicable).

(3) Within 30 calendar days of the notification by HHS of the calculation of a risk score error rate, in the manner set forth by HHS, an issuer must confirm the calculation of the risk score error rate as a result of risk adjustment data validation, or file a discrepancy report to dispute the calculation of a risk score error rate as a result of risk adjustment data validation.

(4) An issuer may appeal the findings of a second validation audit (if applicable) or the calculation of a risk score error rate as result of risk adjustment data validation, under the process set forth in § 156.1220 of this subchapter.

(e) Adjustment of payments and charges. HHS may adjust payments and charges for issuers that do not comply with audit requirements and standards, as specified in paragraphs (b) and (c) of this section.

(f) Data security and transmission. (1) An issuer must submit the risk adjustment data and source documentation for the initial and second validation audits specified by HHS to HHS or its designee in the manner and timeframe specified by HHS.

(2) An issuer must ensure that it and its initial validation auditor comply with the security standards described at 45 CFR 164.308, 164.310, and 164.312 in connection with the initial validation audit, the second validation audit, and any appeal.

(g) Exemptions. An issuer of a risk adjustment covered plan will be exempted by HHS from the data validation requirement set forth in paragraph (b) of this section for a given benefit year if:

(1) The issuer has 500 or fewer billable member months of enrollment in the individual, small group and merged markets (as applicable) for the applicable benefit year, calculated on a Statewide basis;

(2) The issuer is at or below the materiality threshold as defined by HHS and is not selected by HHS to participate in the data validation requirements in an applicable benefit year under random and targeted sampling conducted approximately every 3 years (barring any risk-based triggers based on experience that will warrant more frequent audits); or

(3) The issuer is in liquidation, or will enter liquidation no later than April 30th of the benefit year that is 2 benefit years after the benefit year being audited, provided that:

(i) The issuer provides to HHS, in the manner and timeframe specified by HHS, an attestation that the issuer is in liquidation or will enter liquidation no later than April 30th of the benefit year that is 2 benefit years after the benefit year being audited that is signed by an individual with the authority to legally and financially bind the issuer; and

(ii) The issuer is not a positive error rate outlier under the error estimation methodology in risk adjustment data validation for the prior benefit year of risk adjustment data validation.

(iii) For purposes of this paragraph (g)(3), liquidation means that a State court has issued an order of liquidation for the issuer that fixes the rights and liabilities of the issuer and its creditors, policyholders, shareholders, members, and all other persons of interest.

(4) The issuer only offered small group market carryover coverage during the benefit year that is being audited.

(5) The issuer was the sole issuer in the state market risk pool during the benefit year that is being audited and did not participate in any other market risk pools in the State during the benefit year that is being audited.

[78 FR 15531, Mar. 11, 2013, as amended at 79 FR 13836, Mar. 11, 2014; 81 FR 94174, Dec. 22, 2016; 83 FR 17059, Apr. 17, 2018; 84 FR 17562, Apr. 25, 2019; 86 FR 24287, May 5, 2021; 88 FR 25916, Apr. 27, 2023]