Skip to Main Content

The Center for Consumer Information & Insurance Oversight


CCIIO Examinations, Audits and Reviews of Issuers: Issuer Resources

CCIIO currently conducts or has plans to conduct various audits and reviews based on the regulations issued as part of the Affordable Care Act (ACA). Included below is a brief description of each type of examination, audit or review and specific resources that are available to Issuers. The selection and scheduling of the various audits and reviews are coordinated within CCIIO to minimize duplicative burden on any one Issuer whenever possible.  CCIIO also works with State regulatory agencies, where appropriate, to coordinate oversight activities.

Medical Loss Ratio (MLR) Examinations

Name of Reviewing Division/Group:

Medical Loss Ratio (MLR) Division/Oversight Group

General Scope and Purpose of Audit/Review:

The Affordable Care Act requires health insurance issuers to disclose how much they spend on health care and how much they spend on administrative costs, such as salaries and marketing. If an issuer spends less than 80% (85% in the large group market) of premium on medical care and efforts to improve the quality of care, it must refund the portion of premium that exceeded this limit. This rule is commonly known as the 80/20 rule or the Medical Loss Ratio (MLR) rule.

Pursuant to the Secretary of the Department of Health and Human Service’s authority under 45 CFR 158 Subpart D, CCIIO regularly reviews issuers’ annual MLR Reporting Forms to confirm compliance with each reporting element of 45 CFR Part 158.  CCIIO performs two types of reviews: internal compliance reviews as well as external audits (or examinations) of issuers’ annual MLR Reporting Form(s) and, beginning with the 2014 reporting year, if applicable, their annual Plan-Level Risk Corridors Data Reporting Form.

Internal compliance reviews consist of a high-level review of, amongst other things, the Reporting Form for: completion accuracy; obvious omissions, errors or questionable data; and, comparison to each issuer’s state Supplemental Health Care Exhibit (SHCE).

External audits consist of substantively testing each reporting element utilizing the Agreed-Upon Procedures (AUP) that CCIIO created in conjunction with the National Association of Insurance Commissioners (NAIC), as well as a detailed review of the documents and data that were used by the issuer under review in the completion of the Reporting Form.  Document and data reviews are generally conducted remotely but on-site reviews occur as well.  Entrance, status and exit calls are conducted telephonically.

Types of Documents that are requested and reviewed:

As part of external audits, CCIIO generally requests the following:

  • A detailed description of the issuer’s processes for preparing the MLR Annual Reporting Form
  • Relevant intercompany agreements (such as reinsurance treaties, risk-sharing contracts, inter-company tax allocation agreements, and third party vendor contracts)
  • Policy-level premium data
  • Claim-level claims data and Explanations of Benefits (EOBs), and support for claims run-out
  • Group Contracts and Subscriber Certificates as well as Individual Insurance Policies
  • Queries created to run reports for MLR reporting
  • Issuer policies and procedures for determining group size and market classification
  • Support for allocation of expenses across companies and lines of business (including lines of business not subject to the MLR reporting, if any)
  • For issuer functions or benefit management that is outsourced to a third party, support for the determination of how the issuer or its business associate determined the amount to allocate to incurred claims and quality improving activities versus administrative, non-claims costs, and support for market and state classification of the payments
  • A description of all Quality Improving Activities (QIA) and support for how they meet the regulatory definition of a QIA, as well as transaction-level QIA data
  • Copies of MLR Rebate Notices and Rebate Checks
  • Support for the handling, distribution and aggregation of any de minimis rebates
  • Agreements with any church plan policyholders regarding compliance with rebate distribution requirements
  • Tax forms
  • Organization charts

Time Period(s) Reviewed:

  • Current Reporting Year for internal review.
  • Most recent MLR Reporting Year as well as two prior reporting years for external audit.
  • CCIIO reserves the right to review prior years’ Reporting Forms as the circumstances may warrant.

Issuer Notification Method:

  • For internal reviews, issuers are only notified if CCIIO has a question regarding, or finds an error with, any of the information submitted on the Reporting Form.
  • Issuers selected for an external audit are notified via email and asked to contact CCIIO to schedule an Entrance Call within five days of receipt of the call letter.  Issuers are provided 30 days to submit certain documentation (such as the items enumerated above) and 45 days to submit data files.  Separate notices are sent for document and data requests.  Audits are conducted continuously throughout the year and are “called” on a rolling basis.

Additional Resources:

MLR Examination Reports can be found under the Programs and Initiatives section at:

Search Tool for MLR Reports (by Issuer; by State) can be found under the MLR Data Resources section at:

The MLR Annual Reporting Forms and Instructions can be found under the MLR Other Resources section at: Loss Ratio


Federal Market Conduct Examinations – Market-wide requirements

Name of Reviewing Division:

Compliance and Enforcement/Oversight Group

General Scope and Purpose of Audit/Review:

 The Oversight Group’s Compliance and Enforcement Division may conduct Federal Market Conduct Examinations based on the authority under 45 CFR § 150.313 of health insurance operations of issuers in all states, including the direct enforcement states (currently Alabama, Missouri, Oklahoma, Texas, and Wyoming) to verify compliance with market-wide Public Health Service Act (PHS Act) requirements.  Examinations may also be conducted on Non-federal governmental plans to verify compliance with the market-wide PHS Act requirements.

Types of Documents that may be requested and reviewed:

CCIIO will use the NAIC’s Market Regulation Handbook to conduct federal Market Conduct Examinations.  The Market Regulation Handbook sets out the types of documents that may be requested based on the area under review. Such documents include, but are not limited to:

  • Certificates
  • Group policies
  • Individual policies
  • Summary of Benefits and Coverage
  • Complaints
  • Notices required under federal law or regulation
    • Claims Denial and Appeals notices
    • Denial of enrollment notices
    • Rescission  notices
  • Claim payment procedures
    • Evidence of claim payment
    • Explanation of Benefits
    • Medical criteria used to make determinations.

See the Market Conduct Exam Checklist for details on market-wide PHS Act requirements (link below)

Issuers will be asked to upload all requested documents into the Health Insurance Oversight System (HIOS) Document Collection Market Conduct Module for CCIIO review.  While providing claims information is part of the market conduct examination process, issuers should not provide any documents or files containing Personal Health Information (PHI) or Personally Identifiable Information (PII) through HIOS. This type of information must be redacted by the issuer prior to document or file upload into HIOS.

Types of Reviews:

CCIIO expects that most audits will be targeted to specific market-wide PHS Act requirements; however, CCIIO may conduct full market-conduct examinations (as appropriate).   Depending on the areas to be reviewed, CCIIO may conduct the federal market conduct examination as a desk audit, an on-site audit, or a combination of desk and on-site audit.

Look-back Period(s):

The determination will be made on the look back period based on the targeted areas of review for each examination.  The look-back period could be up to three years.

Issuer Notification Method:

The HIOS Market Conduct Module will be used to notify issuers when an examination is called. In addition, this module will be used, in part, for communication between CCIIO and the examinee.  As noted above, HIOS will be used to share documents and files during the examination.

Additional Resources:

Market Conduct Exam checklist can be found under the CMS Enforcement section at:

Market Conduct exam slide deck can be found under the Health Insurance Market Reforms Training Resources section at:


CO – OP Compliance Reviews

Name of Reviewing Division:

CO-OP Program/Insurance Programs Group

General Scope and Purpose of Audit/Review:

In accordance with Section 11 of the CO-OP Program Loan Agreement, CMS conducts the CO-OP Compliance Reviews as part of its oversight of the CO-OP Program.  The CO-OP Compliance Reviews provide CMS with information regarding each CO-OP’s progress towards designing and implementing key operational and financial policies and procedures.  In addition, these reviews provide insight into their compliance with the CO-OP Program loan agreement and key state and federal requirements which impact their participation in the CO-OP Program.   Specifically, CMS assesses Market Conduct Examination readiness, programmatic compliance, and the establishment of financial management controls.  In addition, CMS obtains information regarding each CO-OP’s plan, strategy, and progress in developing policies and procedures and implementing standards related to consumer focus, integrated care, and quality of care.

Types of Documents that may be requested and reviewed:

The documentation required for the current and ongoing CO-OP Compliance Reviews include policies, procedures, and other data related to:

  • Claims
  • Policyholder services
  • Complaint handling including grievance and appeals procedures
  • Provider credentialing
  • Marketing and sales

Look-back Period(s):

The determination will be made on the look back period based on the targeted areas of review for each examination.  The look-back period could be up to three years.

Issuer Notification Method:

Documentation will be collected from the CO-OP via email by using encryption software (SecureZip) or a secured email network established by the CO-OP. The methodology used to transfer data from the CO-OP to the CMS contractor will be mutually agreed upon by CMS, the CO-OP, and the CMS contractor team.

FFM Compliance Reviews

Name of Reviewing Division:

Issuer Compliance & Monitoring/Marketplace Plan Management Group

General Scope and Purpose of Audit/Review:

Consistent with the authority under 45 C.F.R. 156.715, CCIIO will perform compliance reviews of issuers offering Qualified Health Plans (QHPs) and stand-alone dental plans (SADPs) in the Federally-facilitated Marketplaces (FFM). Compliance reviews will focus on FFM requirements for QHP certification under 45 CFR part 156 and other key FFM operational standards for those states in which CMS is operating the Marketplace, including the FFM where the states are performing plan management functions.

There are three types of compliance reviews:

  • Standard review – includes all review areas.
  • Limited Review – includes one or more review areas and is conducted in coordination with another reviewing entity (i.e., OPM or states).
  • Target Review – includes one or more review areas due to a potential compliance issue.

Reviews will be conducted as either:

  • Desk review – all interviews will be done via conference call and all testing and review of documents will be done remotely or via webinar or screen sharing.
  • Onsite review- initial interviews will be done on-site at the issuer’s locations. Testing and review of documents will be done onsite, except follow-up testing which will be done remotely. Follow-up interviews may be conducted via conference call.

Types of Documents that may be requested and reviewed:

The compliance review process includes the submission of documents (including testing samples) that relate to the areas under review for the applicable year, to demonstrate compliance with FFM specific standards. Such documents may include, but are not limited to:

  • Policy and Procedures
    • Include for each operational area reviewed
  • Delegated Entity Agreements
    • Copies of contracts, including Agent/Broker agreement
    • Delegated oversight process
  • Affiliated Agents/Brokers
    • Listing of NPNs
    • Date first policy application/sold
  • Provider Network Listing
  • Provider Directories
  • Essential Community Providers Listing
    • Contract offers
    • Template agreements
  • Consumer Notices, including but not limited to:
    • Welcome Packet
    • Sample termination notices
    • Sample Discontinuance and Non-renewal notices
  • Prescription Drug Formulary
  • HICS Casework notes

Detailed examples of regulatory and operational areas that will be reviewed are included in the Key Priorities for FFM Compliance Review document referenced in the Additional Resources below.

Look-back Period(s):

Current Benefit Year - which includes the applicable annual certification filing cycle and Open Enrollment period.

Issuer Notification Method:

Issuers will be selected and notified on a staggered basis throughout the year. Issuers will be provided a minimum of 30 days to submit requested documentation, unless notified that the review is being conducted on an expedited basis. Two notices will be sent:

  1. Initial Selection Notice sent by account manager
  2.  Document Request List and instructions sent by the contractor review team

Additional Resources:

Key Priorities for FFM Compliance Reviews for the 2018 Benefit Year

Key Priorities for FFM Compliance Reviews for the 2017 Benefit Year

Key Priorities for FFM Compliance Reviews for the 2016 Benefit Year

Key Priorities for FFM Compliance Reviews for the 2015 Benefit Year

Key Priorities for FFM Compliance Reviews for the 2014 Benefit Year

2017 Plan Year Notice Review Summary Report

2016 Plan Year FFE Compliance Review Summary Report

2015 Plan Year FFE Compliance Review Summary Report

2014 Plan Year FFE Compliance Review Summary Report