CCIIO Examinations, Audits and Reviews of Issuers: Issuer Resources

CCIIO Examinations, Audits and Reviews of Issuers: Issuer Resources

CCIIO currently conducts or has plans to conduct various audits and reviews based on the regulations issued as part of the Affordable Care Act (ACA). Included below is a brief description of each type of examination, audit or review and specific resources that are available to Issuers. The selection and scheduling of the various audits and reviews are coordinated within CCIIO to minimize duplicative burden on any one Issuer whenever possible.  CCIIO also works with State regulatory agencies, where appropriate, to coordinate oversight activities.

Medical Loss Ratio (MLR) Examinations

Name of Reviewing Division/Group:

Medical Loss Ratio (MLR) Division/Oversight Group

General Scope and Purpose of Audit/Review:

The Affordable Care Act requires health insurance issuers to disclose how much they spend on health care and how much they spend on administrative costs, such as salaries and marketing. If an issuer spends less than 80% (85% in the large group market) of premium on medical care and efforts to improve the quality of care, it must refund the portion of premium that exceeded this limit. This rule is commonly known as the 80/20 rule or the Medical Loss Ratio (MLR) rule.

Pursuant to the Secretary of the Department of Health and Human Services authority under 45 CFR 158 Subpart D, CCIIO regularly reviews issuers’ annual MLR Reporting Forms to confirm compliance with each reporting element of 45 CFR Part 158.  CCIIO performs two types of reviews: internal compliance reviews as well as external audits (or examinations) of issuers’ annual MLR Reporting Form(s) and, beginning with the 2014 reporting year, if applicable, their annual Plan-Level Risk Corridors Data Reporting Form.

Internal compliance reviews consist of a high-level review of, amongst other things, the Reporting Form for: completion accuracy; obvious omissions, errors or questionable data; and, comparison to each issuer’s state Supplemental Health Care Exhibit (SHCE).

External audits consist of substantively testing each reporting element utilizing the Agreed-Upon Procedures (AUP) that CCIIO created in conjunction with the National Association of Insurance Commissioners (NAIC), as well as a detailed review of the documents and data that were used by the issuer under review in the completion of the Reporting Form.  Document and data reviews are generally conducted remotely but on-site reviews occur as well.  Entrance, status and exit calls are conducted telephonically.

Types of Documents that are requested and reviewed:

As part of external audits, CCIIO generally requests the following:

  • A detailed description of the issuer’s processes for preparing the MLR Annual Reporting Form
  • Relevant intercompany agreements (such as reinsurance treaties, risk-sharing contracts, inter-company tax allocation agreements, and third party vendor contracts)
  • Policy-level premium data
  • Claim-level claims data and Explanations of Benefits (EOBs), and support for claims run-out
  • Group Contracts and Subscriber Certificates as well as Individual Insurance Policies
  • Queries created to run reports for MLR reporting
  • Issuer policies and procedures for determining group size and market classification
  • Support for allocation of expenses across companies and lines of business (including lines of business not subject to the MLR reporting, if any)
  • For issuer functions or benefit management that is outsourced to a third party, support for the determination of how the issuer or its business associate determined the amount to allocate to incurred claims and quality improving activities versus administrative, non-claims costs, and support for market and state classification of the payments
  • A description of all Quality Improving Activities (QIA) and support for how they meet the regulatory definition of a QIA, as well as transaction-level QIA data
  • Copies of MLR Rebate Notices and Rebate Checks
  • Support for the handling, distribution and aggregation of any de minimis rebates
  • Agreements with any church plan policyholders regarding compliance with rebate distribution requirements
  • Tax forms
  • Organization charts

Time Period(s) Reviewed:

  • Current Reporting Year for internal review.
  • Most recent MLR Reporting Year as well as two prior reporting years for external audit.
  • CCIIO reserves the right to review prior years’ Reporting Forms as the circumstances may warrant.

Issuer Notification Method:

  • For internal reviews, issuers are only notified if CCIIO has a question regarding, or finds an error with, any of the information submitted on the Reporting Form.
  • Issuers selected for an external audit are notified via email and asked to contact CCIIO to schedule an Entrance Call within five days of receipt of the call letter.  Issuers are provided 30 days to submit certain documentation (such as the items enumerated above) and 45 days to submit data files.  Separate notices are sent for document and data requests.  Audits are conducted continuously throughout the year and are “called” on a rolling basis.

Additional Resources:

Federal Market Conduct Examination-Market-wide requirements

Name of Reviewing Division:

Compliance and Enforcement/Oversight Group

General Scope and Purpose of Audit/Review:

The Oversight Group’s Compliance and Enforcement Division may conduct Federal Market Conduct Examinations based on the authority under 45 CFR § 150.313 of health insurance operations of issuers in all states, including the direct enforcement states (currently Alabama, Missouri, Oklahoma, Texas, and Wyoming) to verify compliance with market-wide Public Health Service Act (PHS Act) requirements.  Examinations may also be conducted on Non-federal governmental plans to verify compliance with the market-wide PHS Act requirements.

Types of Documents that may be requested and reviewed:

CCIIO will use the NAIC’s Market Regulation Handbook to conduct federal Market Conduct Examinations.  The Market Regulation Handbook sets out the types of documents that may be requested based on the area under review. Such documents include, but are not limited to:

  • Certificates
  • Group policies
  • Individual policies
  • Summary of Benefits and Coverage
  • Complaints
  • Notices required under federal law or regulation
    • Claims Denial and Appeals notices
    • Denial of enrollment notices
    • Rescission  notices
  • Claim payment procedures
    • Evidence of claim payment
    • Explanation of Benefits
    • Medical criteria used to make determinations.

See the Market Conduct Exam Checklist for details on market-wide PHS Act requirements (link below)

Issuers will be asked to upload all requested documents into the Health Insurance Oversight System (HIOS) Document Collection Market Conduct Module for CCIIO review.  While providing claims information is part of the market conduct examination process, issuers should not provide any documents or files containing Personal Health Information (PHI) or Personally Identifiable Information (PII) through HIOS. This type of information must be redacted by the issuer prior to document or file upload into HIOS.

Types of Reviews:

CCIIO expects that most audits will be targeted to specific market-wide PHS Act requirements; however, CCIIO may conduct full market-conduct examinations (as appropriate).   Depending on the areas to be reviewed, CCIIO may conduct the federal market conduct examination as a desk audit, an on-site audit, or a combination of desk and on-site audit.

Look-back Period(s):

The determination will be made on the look back period based on the targeted areas of review for each examination.  The look-back period could be up to three years.

Issuer Notification Method:

The HIOS Market Conduct Module will be used to notify issuers when an examination is called. In addition, this module will be used, in part, for communication between CCIIO and the examinee.  As noted above, HIOS will be used to share documents and files during the examination.

Additional Resources:

CO–OP Compliance Reviews

Name of Reviewing Division:

CO-OP Program/Insurance Programs Group

General Scope and Purpose of Audit/Review:

In accordance with Section 11 of the CO-OP Program Loan Agreement, CMS conducts the CO-OP Compliance Reviews as part of its oversight of the CO-OP Program.  The CO-OP Compliance Reviews provide CMS with information regarding each CO-OP’s progress towards designing and implementing key operational and financial policies and procedures.  In addition, these reviews provide insight into their compliance with the CO-OP Program loan agreement and key state and federal requirements which impact their participation in the CO-OP Program.   Specifically, CMS assesses Market Conduct Examination readiness, programmatic compliance, and the establishment of financial management controls.  In addition, CMS obtains information regarding each CO-OP’s plan, strategy, and progress in developing policies and procedures and implementing standards related to consumer focus, integrated care, and quality of care.

Types of Documents that may be requested and reviewed:

The documentation required for the current and ongoing CO-OP Compliance Reviews include policies, procedures, and other data related to:

  • Claims
  • Policyholder services
  • Complaint handling including grievance and appeals procedures
  • Provider credentialing
  • Marketing and sales

Look-back Period(s):

The determination will be made on the look back period based on the targeted areas of review for each examination.  The look-back period could be up to three years.

Issuer Notification Method:

Documentation will be collected from the CO-OP via email by using encryption software (SecureZip) or a secured email network established by the CO-OP. The methodology used to transfer data from the CO-OP to the CMS contractor will be mutually agreed upon by CMS, the CO-OP, and the CMS contractor team.

FFE Compliance Reviews

Name of Reviewing Division:

Issuer Compliance & Monitoring/Marketplace Plan Management Group

General Scope and Purpose of Audit/Review:

Consistent with the authority under 45 C.F.R. 156.715, CCIIO will perform compliance reviews of issuers offering Qualified Health Plans (QHPs) and stand-alone dental plans (SADPs) in the Federally-facilitated Exchanges (FFE). Compliance reviews will focus on FFE requirements for QHP certification under 45 CFR part 156 and other key FFE operational standards for those states in which CMS is operating the Exchange, including the FFE where the states are performing plan management functions.

There are three types of compliance reviews:

  • Standard review – includes all review areas.
  • Limited Review – includes one or more review areas and is conducted in coordination with another reviewing entity (i.e., OPM or states).
  • Target Review – includes one or more review areas due to a potential compliance issue.
    Reviews will be conducted as either:
  • Desk review – all interviews will be done via conference call and all testing and review of documents will be done remotely or via webinar or screen sharing.
  • Onsite review- initial interviews will be done on-site at the issuer’s locations. Testing and review of documents will be done onsite, except follow-up testing which will be done remotely. Follow-up interviews may be conducted via conference call.

Types of Documents that may be requested and reviewed:

The compliance review process includes the submission of documents (including testing samples) that relate to the areas under review for the applicable year, to demonstrate compliance with FFE specific standards. Such documents may include, but are not limited to:

  • Policy and Procedures
  • Delegated Entity Agreements
    • Copies of contracts, including Agent/Broker agreement
    • Delegated oversight process
  • Affiliated Agents/Brokers
    • Listing of NPNs
    • Date first policy application/sold
  • Provider Directories and URLs
  • Essential Community Providers Listing
    • Contract offers
    • Template agreements
  • Prescription Drug Formulary and URL
  • HICS Casework notes and resolution letters
  • Enrollment Records
    • Welcome packets
    • Invoices
    • Notices

Detailed examples of regulatory and operational areas that will be reviewed are included in the Key Priorities for FFE Compliance Review document referenced in the Additional Resources below.

Look-back Period(s):

Current Benefit Year - which includes the applicable annual certification filing cycle and Open Enrollment period.

Issuer Notification Method:

Issuers will be selected and notified on a staggered basis throughout the year. Issuers will be provided a minimum of 30 days to submit requested documentation, unless notified that the review is being conducted on an expedited basis. Two notices will be sent:

  1. Initial Selection Notice sent by account manager
  2. Document Request List and instructions sent by the contractor review team

Additional Resources:

Advance Payments of the Premium Tax Credit (APTC) Audits

Name of Reviewing Division/Group:

Payment Policy and Financial Management Group (PPFMG)

General Scope and Purpose of Audit/Review:

Sections 1401 of the Patient Protection and Affordable Care Act (ACA) established the Advance Payments of the Premium Tax Credit (APTC) program to lower the monthly premium for eligible individuals. Section 1311 of the ACA allows the Federally-Facilitated Exchanges (FFEs) to charge participating issuers user fees to support FFE operations. Additionally, Office of Management and Budget (OMB) Circular A-25 allows the FFEs and State-based Exchanges on the Federal platform (SBE-FPs) to calculate, collect, and expend user fees.


Regulations at 45 CFR §§ 156.480, 156.705, and 156.715 allow the Department of Health and Human Services (HHS) to conduct audits of issuers that offer a Qualified Health Plan (QHP) in the individual market through an Exchange to assess compliance with the APTC and FFE (and SBE-FP) user fee program requirements.  The goals of these audits are to:

  • Safeguard Federal funds;
  • Instill confidence in payment data quality among regulated entities;
  • Evaluate health insurance issuer compliance with program rules and regulations; and
  • Efficiently use taxpayer resources while minimizing unnecessary burden on issuers and consumers.

Interim Payment Process

CMS used two different payment processes to calculate and remit monthly APTC: 1.) a temporary process (i.e., “interim manual payment process”) and 2.) policy-based payments process.

  
For the 2014 and 2015 benefit years, CMS implemented the interim manual payment process to calculate and make monthly payments of APTC as well as to calculate and collect monthly FFE user fee amounts based on data submitted by issuers at the QHP-level. On a monthly basis, CMS required submitters to use a standard template to submit payment data.  All FFE issuers were paid via the interim manual process in 2014 and 2015.  Issuers in State-based Exchanges (SBEs) were also paid via the interim manual process starting in 2016.


In 2016, all FFE issuers transitioned to the CMS automated payment system known as policy-based payments (PBP).  Thus, the 2016 benefit year is the first year CMS will perform FFE audits under PBP.  In 2018, CMS began to transition SBEs to the PBP system.  As such, the 2018 benefit year will be the first year CMS will conduct SBE audits under PBP.  


CMS established an audit protocol that is organized around the following regulations governing APTC and FFE user fee programs as well as the procedures required to assess compliance with these applicable regulations:

  • 45 CFR §156.50: Financial Support;
  • 45 CFR §156.460: Reduction of enrollee’s share of premium to account for advance payments of the premium tax credit;
  • 45 CFR §156.705: Maintenance of records for Federally-facilitated Exchanges; and
  • 45 CFR §156.715: Compliance reviews of QHP issuers in Federally-facilitated Exchanges.

Time Period(s) Reviewed:

Issuers are audited for each benefit year, starting with 2014.

Issuer Notification Method:

  • Issuers selected for audit receive a signed letter via email; and
  • CCIIO--authorized contractors follow up with each issuer selected for audit to schedule entrance conferences

CMS notifies issuers selected for audit and evaluates compliance with applicable rules and regulations governing the user fee and APTC programs.

Additional Resources

Transitional Reinsurance Program Audits

Name of Reviewing Division/Group:

Payment Policy and Financial Management Group (PPFMG)

General Scope and Purpose of Audit/Review:

Section 1341 of the Patient Protection and Affordable Care Act (ACA) established the transitional reinsurance program to stabilize premiums in the individual market inside and outside of the Exchanges in each State and the District of Columbia for benefit years 2014, 2015, and 2016. The transitional reinsurance program collected contributions from contributing entities to fund reinsurance payments to issuers of non-grandfathered individual market reinsurance-eligible plans, the administrative costs of operating the program, and the General Fund of the U.S. Treasury. The Department of Health and Human Services (HHS) operated the transitional reinsurance program on behalf of any state that elected not to operate its own program. For benefit year 2014 and most of benefit year 2015, HHS operated the transitional reinsurance program in all states and the District of Columbia with the exception of Connecticut. Effective April 7, 2017, HHS began operating the transitional reinsurance program in Connecticut for the remainder of benefit year 2015. For benefit year 2016, HHS operated the transitional reinsurance program in all states and the District of Columbia.

45 CFR § 153.410(d) authorizes HHS or its designee to audit or conduct a compliance review of an issuer with reinsurance-eligible plans to assess compliance with applicable federal requirements for the transitional reinsurance program.

The goals of these audits are to:

  • Safeguard federal funds;
  • Instill confidence amongst regulated entities concerning data quality, soundness, and robustness;
  • Evaluate health insurance issuers' compliance with federal program rules and regulations; and,
  • Develop a successful and coordinated risk-based audit program that maximizes resources.

Audit Process

CMS established audit protocols to assess issuers' compliance with the applicable federal transitional reinsurance program requirements. The audit protocols are designed to evaluate the accuracy of the data submitted to issuers' EDGE servers that was used to calculate reinsurance payments and are organized around the following federal regulations:

  • 45 CFR § 153.410: Requests for reinsurance payment;*
  • 45 CFR § 153.420: Data collection; and
  • 45 CFR § 153.700, et seq.; Distributed data collection for HHS-Operated Programs.

*Please note: In the HHS Notice of Benefit and Payment Parameters for 2022 Final Rule (86 FR 24140 (May 5, 2021)), CMS amended 45 CFR § 153.410(d). The amended regulations applies to audits commenced on or after July 6, 2021.

Time Period(s) Reviewed:

CMS is performing audits of issuers of RI eligible plans for each benefit year the transitional reinsurance program was active - 2014 through 2016. The audit program commenced in 2018 with the review of data submissions by issuers of reinsurance eligible plans to support reinsurance payments for the benefit year 2014. The transitional reinsurance program payment audits for benefit year 2014 are complete.

Issuer Audit Notification Method:

  • Issuers selected for audit receive a notice from CMS via email at least 30 days before the start of the audit; and
  • The auditor follows up with each issuer selected for audit to schedule an entrance conference.

Additional Resources

 

High-Cost Risk Pool (HCRP) Audits


Name of Reviewing Division/Group:


Payment Policy and Financial Management Group (PPFMG)


General Scope and Purpose of Audit/Review


Section 1343 of the Patient Protection and Affordable Care Act (ACA) established the permanent risk adjustment program, one of the three premium stabilization programs, to provide payments to health insurance issuers that cover higher-cost and higher-risk populations to more evenly spread the financial risk borne by issuers of risk adjustment-covered plans and help stabilize premiums. CMS established the high-cost risk pool (HCRP) as part of the Department of Health and Human Services (HHS)-operated risk adjustment methodology beginning with the 2018 benefit year (81 FR 94058 (Jan. 17, 2017)). HCRP calculations are made for two national risk pool markets—one for the individual market (including catastrophic and non-catastrophic plans, and merged market plans), and another for the small group market. Issuers of risk adjustment-covered plans with HCRP-eligible enrollees receive payments for a percentage of covered claims (coinsurance rate) above the attachment point. HCRP payments are funded by a percent of premium charge on all risk adjustment covered plans within the respective national market risk pool.

45 C.F.R. § 153.620(c) authorizes HHS or its designee to audit or conduct a compliance review of an issuer with the applicable federal requirements related to the HHS-operated risk adjustment program (including the HCRP). CMS, on behalf of HHS, operates the risk adjustment program and conducts HCRP Audits:

The goals of these audits are to:

•    Safeguard federal funds;
•    Instill confidence amongst regulated entities and interested parties concerning quality, soundness, and robustness of data;
•    Evaluate health insurance issuers’ compliance with applicable federal risk adjustment program requirements; and
•    Develop a successful and coordinated HCRP-based audit program that maximizes resources.


Audit Process


CMS established audit protocols to assess issuers' compliance with the applicable federal requirements related to the HHS-operated risk adjustment program (including the HCRP). The audit protocols are designed to evaluate the accuracy of the enrollee-level enrollment (including premium) and claims data submitted to issuers' EDGE servers as of the applicable benefit year’s EDGE data submission deadline and that were used to calculate HCRP payments. The audit also evaluates issuers’ internal controls related to EDGE data submission for HCRP payments. The audits and are organized around the following federal regulations:

•    45 CFR § 153.610: Risk Adjustment Issuer requirements;
•    45 CFR § 153.620: Compliance with risk adjustment standards;* and
•    45 CFR § 153.700, et seq.: Distributed Data Collection for HHS-Operated Programs.

*Please note: In the HHS Notice of Benefit and Payment Parameters for 2022 Final Rule (86 FR 24140 (May 5, 2021)), CMS amended 45 CFR § 153.410(d). The amended regulations apply to audits commenced on or after July 6, 2021.


Time Period(s) Reviewed


CMS is performing audits of issuers of risk adjustment covered plans for each benefit year for which payments are made for the HCRP. The audit program commenced in 2021 with the review of data submissions by issuers of risk adjustment covered plans to support HCRP payments for the 2018 benefit year. The HCRP Audits for benefit year 2018 are complete.


Issuer Audit Notification Method


•    Issuers selected for audit receive a notice from CMS via email at least 30 calendar days before the start of the audit; and
•    The auditor notifies each issuer selected for audit regarding the scheduled entrance conference.


Additional Resources


•    Benefit Year (BY) 2018 High-cost Risk Pool (HCRP) Audit Summary (PDF)
•    High-Cost Risk Pool (HCRP) Audit Reports 
•    High-Cost Risk Pool Reference Guide (10-4-18) on REGTAP
•    Premium Stabilization Programs
 

 

Page Last Modified:
03/11/2024 07:03 AM
Help with File Formats and Plug-Ins