150.313—Market conduct examinations.
(a) Definition.
A market conduct examination means the examination of health insurance operations of an issuer, or the operation of a non-Federal governmental plan, involving the review of one or more (or a combination) of a responsible entity's business or operational affairs, or both, to verify compliance with HIPAA requirements.
(b) General.
If, based on the information described in § 150.303, CMS finds evidence that a specific entity may be in violation of a HIPAA requirement, CMS may initiate a market conduct examination to determine whether the entity is out of compliance. CMS may conduct the examinations either at the site of the issuer or other responsible entity or a site CMS selects. When CMS selects a site, it may direct the issuer or other responsible entity to forward any documentation CMS considers relevant for purposes of the examination to that site.
(c) Appointment of examiners.
When CMS identifies an issue that warrants investigation, CMS will appoint one or more examiners to perform the examination and instruct them as to the scope of the examination.
(d) Appointment of professionals and specialists.
When conducting an examination under this part, CMS may retain attorneys, independent actuaries, independent market conduct examiners, or other professionals and specialists as examiners.
(e) Report of market conduct examination—
(1) CMS review.
When CMS receives a report, it will review the report, together with the examination work papers and any other relevant information, and prepare a final report. The final examination report will be provided to the issuer or other responsible entity.
(2) Response from issuer or other responsible entity.
With respect to each examination issue identified in the report, the issuer or other responsible entity may:
(i)
Concur with CMS's position(s) as outlined in the report, explaining the plan of correction to be implemented.
(ii)
Dispute CMS's position(s), clearly outlining the basis for its dispute and submitting illustrative examples where appropriate.
(3) CMS's reply to a response from an issuer or other responsible entity.
Upon receipt of a response from the issuer or other responsible entity, CMS will provide a letter containing its reply to each examination issue. CMS's reply will consist of one of the following:
(iii)
Conditional approval of the issuer's or non-Federal governmental plan's proposed plan of correction, which will include any modifications CMS requires.
(iv)
Notice to the issuer or non-Federal governmental plan that there exists a potential violation of HIPAA requirements.