It’s that time of year! The mad rush of AEP is over and many carriers are beginning to conduct compliance audits with agents, agencies and downline agents. First, let’s address some common questions we get regarding compliance.


  1. Why do carriers do compliance audits? Carriers to not conduct these audits for the sole reason of catching an agent doing something wrong, it is to genuinely make sure the agents and agencies representing the carrier’s products are operating within the guidelines put forth by CMS each year.


  1. What if a carrier finds that an agent or agency is operating outside of CMS guidelines or not doing something that they should be to remain compliant? The carrier will work the agent or agency to bring their standards of compliance within the required CMS threshold.


We have extensive experience with numerous carrier’s auditing processes and have outlined some of the common areas of concern that carriers are addressing. These are the areas where carriers may ask agents or agencies to show proof of certain activities when being audited, so when reviewing each topic remember to always keep the appropriate documentation of each compliance activity as it’s completed.


  • Policies and Procedures: Carriers request that all agents and agencies have written Policies and Procedures (P&P) that shows how you operate your business from hiring, compliance, record keeping, security, etc. Be sure to describe all operations within your business as it pertains to Medicare Parts C and D.
  • Code of Conduct:  A Code of Conduct is designed to promote honest, ethical, and lawful conduct by all employees, officers, and directors within an organization. Remember, the actions of all people affiliated with your organization affect the reputation and integrity of your company. A Code of Conduct should be distributed within 90 days of new hires and revisited with all staff annually.
  • General Compliance and Fraud, Waste, and Abuse Training: All non-agent employees should receive compliance and fraud waste and abuse training within 90 days of hire and annually thereafter. Proof of completion should be saved for a duration of 10 years.
  • OIG/GSA/State Exclusion Checks: All non-agent employees should be checked against these exclusion lists prior to hire and monthly thereafter. Documentation of completion should be saved for a duration of 10 years.
  • Agent Oversight: Carriers will ask you to describe your oversight efforts as it pertains to your downline agents. Do you offer any training? Do you oversee their marketing efforts? How do you communicate compliance related matters to them? etc.
  • Vendor Management: Do you use third-party vendors or contractors to complete tasks related to Medicare business? If so, do you use any sort of vetting process? How do you ensure they are compliant with CMS and HIPAA regulations?
  • Data Security: How do you keep sensitive information secure? When transmitting sensitive information, is it transmitted securely? Do you use disk encryption to protect data at rest? Is your physical office space secure against threats? Do you have a Disaster Recovery plan in place?
  • Offshore Subcontracting:  Subcontracting administrative or health care services relating to EHI’s Medicare Parts C and D contracts to an individual or entity located outside the U.S. or its territories. If you do have offshore subcontractors, they must be approved by each of your carriers.


Should you be selected for a carrier audit, be honest and open minded about getting your office compliant within the CMS guidelines.  We all want to keep our clients’ information safe. Please let us know if you have questions or would like to further discuss your agencies compliance model. Our goal is to make you comfortable advising your agents, knowing that you are operating within CMS guidelines.


Sign In

Your username is the email you registered with.