45 CFR 153.630 – Data validation requirements when HHS operates risk adjustment
(a) General requirement. An issuer of a risk adjustment covered plan in a State where HHS is operating risk adjustment on behalf of the State for the applicable benefit year must have an initial and second validation audit performed on its risk adjustment data as described in this section.
(b) Initial validation audit. (1) An issuer of a risk adjustment covered plan must engage one or more independent auditors to perform an initial validation audit of a sample of its risk adjustment data selected by HHS. The issuer must provide HHS with the identity of the initial validation auditor, and must attest to the absence of conflicts of interest between the initial validation auditor (or the members of its audit team, owners, directors, officers, or employees) and the issuer (or its owners, directors, officers, or employees), to its knowledge, following reasonable investigation, and must attest that it has obtained an equivalent representation from the initial validation auditor, in a timeframe and manner to be specified by HHS.
(2) The issuer must ensure that the initial validation auditors are reasonably capable of performing an initial data validation audit according to the standards established by HHS for such audit, and must ensure that the audit is so performed.
(3) The issuer must ensure that each initial validation auditor is reasonably free of conflicts of interest, such that it is able to conduct the initial validation audit in an impartial manner and its impartiality is not reasonably open to question.
(4) The issuer must ensure validation of the accuracy of risk adjustment data for a sample of enrollees selected by HHS. The issuer must ensure that the initial validation audit findings are submitted to HHS in a manner and timeframe specified by HHS.
(5) An initial validation audit must be conducted by medical coders certified as such and in good standing by a nationally recognized accrediting agency.
(6) An issuer must provide the initial validation auditor and the second validation auditor with all relevant source enrollment documentation, all claims and encounter data, and medical record documentation from providers of services to each enrollee in the applicable sample without unreasonable delay and in a manner that reasonably assures confidentiality and security in transmission. Notwithstanding any other provision of this section, a qualified provider that is licensed to diagnose mental illness by the State and that is prohibited from furnishing a complete medical record by applicable State privacy laws concerning any enrollee’s treatment for one or more mental or behavioral health conditions may furnish a signed mental or behavioral health assessment that, to the extent permissible under applicable Federal and State privacy laws, should contain: The enrollee’s name; sex; date of birth; current status of all mental or behavioral health diagnoses; and dates of service. The mental or behavioral health assessment should be signed by the provider and submitted with an attestation that the provider is prohibited from furnishing a complete medical record by applicable State privacy laws.
(7) The risk score of each enrollee in the sample must be validated by—
(i) Validating the enrollee’s enrollment data and demographic data in a manner to be determined by HHS.
(ii) Validating enrollee health status through review of all relevant medical record documentation. Medical record documentation must originate from the provider of the services and align with dates of service for the medical diagnoses, and reflect permitted providers and services. For purposes of this section, “medical record documentation” means clinical documentation of hospital inpatient or outpatient treatment or professional medical treatment from which enrollee health status is documented and related to accepted risk adjustment services that occurred during a specified period of time. Medical record documentation must be generated under a face-to-face or telehealth visit documented and authenticated by a permitted provider of services;
(iii) Beginning in the 2018 benefit year, validating enrollee health status through review of all relevant paid pharmacy claims;
(iv) Validating medical records according to industry standards for coding and reporting; and
(v) Having a senior reviewer confirm any enrollee risk adjustment error discovered during the initial validation audit. For purposes of this section, a “senior reviewer” is a reviewer certified as a medical coder by a nationally recognized accrediting agency who possesses at least 5 years of experience in medical coding. However, for validation of risk adjustment data for the 2014 and 2015 benefit years, a senior reviewer may possess 3 or more years of experience.
(8) The initial validation auditor must measure and report to the issuer and HHS, in a manner and timeframe specified by HHS, its inter-rater reliability rates among its reviewers. The initial validation auditor must achieve a consistency measure of at least 95 percent for his or her review outcomes, except that for validation of risk adjustment data for the 2015 and 2016 benefit years, the initial validation auditor may meet an inter-rater reliability standard of 85 percent for review outcomes.
(9) HHS may impose civil money penalties in accordance with the procedures set forth in § 156.805(b) through (e) of this subchapter if an issuer of a risk adjustment covered plan—
(i) Fails to engage an initial validation auditor;
(ii) Fails to submit the results of an initial validation audit to HHS;
(iii) Engages in misconduct or substantial non-compliance with the risk adjustment data validation standards and requirements applicable to issuers of risk adjustment covered plans; or
(iv) Intentionally or recklessly misrepresents or falsifies information that it furnishes to HHS.
(10) If an issuer of a risk adjustment covered plan fails to engage an initial validation auditor or to submit the results of an initial validation audit to HHS, HHS will impose a default data validation charge.
(c) Second validation audit. HHS will select a subsample of the risk adjustment data validated by the initial validation audit for a second validation audit. The issuer must comply with, and must ensure the initial validation auditor complies with, standards for such audit established by HHS, and must cooperate with, and must ensure that the initial validation auditor cooperates with, HHS and the second validation auditor in connection with such audit.
(d) Risk adjustment data validation disputes and appeals. (1) Within 15 calendar days of notification of the initial validation audit sample determined by HHS, in the manner set forth by HHS, an issuer must confirm the sample or file a discrepancy report to dispute the initial validation audit sample determined by HHS.
(2) Within 15 calendar days of the notification of the findings of a second validation audit (if applicable) by HHS, in the manner set forth by HHS, an issuer must confirm the findings of the second validation audit (if applicable), or file a discrepancy report to dispute the findings of a second validation audit (if applicable).
(3) Within 30 calendar days of the notification by HHS of the calculation of a risk score error rate, in the manner set forth by HHS, an issuer must confirm the calculation of the risk score error rate as a result of risk adjustment data validation, or file a discrepancy report to dispute the calculation of a risk score error rate as a result of risk adjustment data validation.
(4) An issuer may appeal the findings of a second validation audit (if applicable) or the calculation of a risk score error rate as result of risk adjustment data validation, under the process set forth in § 156.1220 of this subchapter.
(e) Adjustment of payments and charges. HHS may adjust payments and charges for issuers that do not comply with audit requirements and standards, as specified in paragraphs (b) and (c) of this section.
(f) Data security and transmission. (1) An issuer must submit the risk adjustment data and source documentation for the initial and second validation audits specified by HHS to HHS or its designee in the manner and timeframe specified by HHS.
(2) An issuer must ensure that it and its initial validation auditor comply with the security standards described at 45 CFR 164.308, 164.310, and 164.312 in connection with the initial validation audit, the second validation audit, and any appeal.
(g) Exemptions. An issuer of a risk adjustment covered plan will be exempted by HHS from the data validation requirement set forth in paragraph (b) of this section for a given benefit year if:
(1) The issuer has 500 or fewer billable member months of enrollment in the individual, small group and merged markets (as applicable) for the applicable benefit year, calculated on a Statewide basis;
(2) The issuer is at or below the materiality threshold as defined by HHS and is not selected by HHS to participate in the data validation requirements in an applicable benefit year under random and targeted sampling conducted approximately every 3 years (barring any risk-based triggers based on experience that will warrant more frequent audits); or
(3) The issuer is in liquidation, or will enter liquidation no later than April 30th of the benefit year that is 2 benefit years after the benefit year being audited, provided that:
(i) The issuer provides to HHS, in the manner and timeframe specified by HHS, an attestation that the issuer is in liquidation or will enter liquidation no later than April 30th of the benefit year that is 2 benefit years after the benefit year being audited that is signed by an individual with the authority to legally and financially bind the issuer; and
(ii) The issuer is not a positive error rate outlier under the error estimation methodology in risk adjustment data validation for the prior benefit year of risk adjustment data validation.
(iii) For purposes of this paragraph (g)(3), liquidation means that a State court has issued an order of liquidation for the issuer that fixes the rights and liabilities of the issuer and its creditors, policyholders, shareholders, members, and all other persons of interest.
(4) The issuer only offered small group market carryover coverage during the benefit year that is being audited.
(5) The issuer was the sole issuer in the state market risk pool during the benefit year that is being audited and did not participate in any other market risk pools in the State during the benefit year that is being audited.