§ 422.503 General provisions.
(a) Basic rule. In order to qualify as an MA organization, enroll beneficiaries in any MA plans it offers, and be paid on behalf of Medicare beneficiaries enrolled in those plans, an MA organization must enter into a contract with CMS.
(b) Conditions necessary to contract as an MA organization. Any entity seeking to contract as an MA organization must:
(1) Complete an application as described in § 422.501.
(2) Be licensed by the State as a risk bearing entity in each State in which it seeks to offer an MA plan as defined in § 422.2.
(3) Meet the minimum enrollment requirements of § 422.514, unless waived under § 422.514(b).
(4) Have administrative and management arrangements satisfactory to CMS, as demonstrated by at least the following:
(i) A policy making body that exercises oversight and control over the MA organization's policies and personnel to ensure that management actions are in the best interest of the organization and its enrollees.
(ii) Personnel and systems sufficient for the MA organization to organize, implement, control, and evaluate financial and communication activities, the furnishing of services, the quality improvement program, and the administrative and management aspects of the organization.
(iii) At a minimum, an executive manager whose appointment and removal are under the control of the policy making body.
(iv) A fidelity bond or bonds, procured and maintained by the MA organization, in an amount fixed by its policymaking body but not less than $100,000 per individual, covering each officer and employee entrusted with the handling of its funds. The bond may have reasonable deductibles, based upon the financial strength of the MA organization.
(v) Insurance policies or other arrangements, secured and maintained by the MA organization and approved by CMS to insure the MA organization against losses arising from professional liability claims, fire, theft, fraud, embezzlement, and other casualty risks.
(vi) Adopt and implement an effective compliance program, which must include measures that prevent, detect, and correct non-compliance with CMS' program requirements as well as measures that prevent, detect, and correct fraud, waste, and abuse. The compliance program must, at a minimum, include the following core requirements:
(A) Written policies, procedures, and standards of conduct that—
(1) Articulate the organization's commitment to comply with all applicable Federal and State standards;
(2) Describe compliance expectations as embodied in the standards of conduct;
(3) Implement the operation of the compliance program;
(4) Provide guidance to employees and others on dealing with potential compliance issues;
(5) Identify how to communicate compliance issues to appropriate compliance personnel;
(6) Describe how potential compliance issues are investigated and resolved by the organization; and
(7) Include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials.